Open menu

AWS Secrets Manager in Use for Redshift Clusters

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that Amazon Redshift clusters provisioned in your AWS account are using AWS Secrets Manager service to manage database access credentials in order to meet security and compliance requirements. Secrets Manager helps you protect sensitive information needed to access your AWS cloud resources such as RDS and Redshift databases. The service provides built-in integration for Amazon Redshift and can be used to rotate, manage and retrieve credentials for this type of database cluster natively.

With Amazon Secrets Manager you can secure and manage access credentials required to access Redshift database clusters. The Secrets Manager service will store Redshift cluster credentials as part of the encrypted secret value.

Audit

To determine if AWS Secrets Manager is used to manage Redshift database cluster credentials in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Choose the secret that you want to examine, then click on its name to access the resource configuration details.

05 On the secret configuration page, in the Secret value section, click Retrieve secret value button to access the panel with the secret key/value.

06 Select the Secret key/value tab and check for any entry with the Secret Key set to host and Secret Value set to a Redshift database endpoint that has the following format: <redshift-cluster-name>.<redshift-cluster-id>.<aws-region>.redshift.amazonaws.com. If there is no secret key-value pair defined to store a Redshift database hostname (access endpoint), the selected Amazon Secrets Manager secret does not manage AWS Redshift database cluster credentials.

07 Repeat steps no. 4 – 6 for each Secrets Manager secret available in the current AWS region. If there are no Secrets Manager secrets created to store and manage Redshift cluster credentials, the Secrets Manager service in not in use for Amazon Redshift within the specified region.

08 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets created in the selected AWS region:

aws secretsmanager list-secrets
	--region us-east-1
	--query 'SecretList[*].Name'

02 The command output should return the names of the secrets available in the selected region:

[
    "cc-prod-database-access",
    "cc-internal-app-access",
    "cc-project5-db-access"
]

03 Run get-secret-value command (OSX/Linux/UNIX) using the name of the secret that you want to examine as identifier parameter and the jq tool – a lightweight and flexible command-line JSON processor, to reveal the host secret key value defined for the selected AWS Secrets Manager secret. The host secret key value contains the hostname of the database when a specified secret stores database credentials as protected information:

aws secretsmanager get-secret-value
	--region us-east-1
	--secret-id cc-prod-database-access | jq .SecretString | jq fromjson | jq .host

04 The command output should return the requested secret key value if the selected Secrets Manager secret contains database access credentials or null if the specified secret does not manage database credentials:

"172.31.0.3"
If the value (IP address or hostname) returned by the get-secret-value command output does not have the following format: <redshift-cluster-name>.<redshift-cluster-id>.<aws-region>.redshift.amazonaws.com, the selected Amazon Secrets Manager secret does not manage Amazon Redshift database cluster credentials.

05 Repeat steps no. 3 and 4 for each Secrets Manager secret available in the selected AWS region. If there are no Secrets Manager secrets created to store and manage Redshift database credentials, the Secrets Manager service in not in use for Amazon Redshift in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To use Amazon Secrets Manager service to store and manage AWS Redshift database cluster credentials, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Click Store a new secret button from the dashboard top menu to initiate the secret setup process.

05 On Select secret type page, perform the following:

  1. Select Credentials for Redshift cluster to configure the secret to store access credentials for an AWS Redshift database cluster.
  2. In the Username and Password fields, type the user name and password that grant access to the Redshift cluster associated with the secret.
  3. From Select the encryption key dropdown list, choose the KMS key to use to encrypt the secret information.
  4. From Select which Redshift cluster this secret will access list, select the Amazon Redshift databases cluster that you want to associate with the new Secrets Manager secret.
  5. Click Next to continue the process.

06 On Secret name and description page, give the secret a unique name in the Secret name box and a short description in the Description box (optional). Create any necessary tag sets for your secret using the Tags form. Once the requested information is provided, click Next to continue.

07 On Store a new secret page, within Configure automatic rotation section, perform the following:

  1. Select Enable automatic rotation to enable automatic rotation feature for the new secret.
  2. Select a predefined value such as 30, 60 and 90 days, or a custom value for the rotation interval, from the Select rotation interval dropdown list.
  3. Select Create a new Lambda function to perform rotation option to create your own custom Lambda function for rotation and give your new Lambda function a name in the New AWS Lambda function name box, or select Use an existing Lambda function to perform rotation to implement an AWS Lambda function that you have previously created for rotating this type of secret, and choose this existing Lambda function from Choose an AWS Lambda function dropdown list.
  4. Click Next to continue the setup.

08 On the Review page, verify the secret configuration details, then click Store to create the Amazon Secrets Manager secret that will manage your AWS Redshift database cluster credentials.

09 Once the following confirmation message is displayed: "Your secret <secret-name> has been successfully stored.", click See sample code button to access the sample code that you can use to update your Redshift applications in order to retrieve the new secret.

10 Repeat steps no. 4 – 9 to create new Secrets Manager secrets to hold and manage access credentials for other Redshift clusters available within the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Define the protected secret information required for the SecretString parameter. The secret information is a JSON structure of key/value pairs that AWS Secrets Manager service knows how to process. Save the secret data to a JSON file named redshift-cluster-credentials.json (replace the highlighted details, i.e. the access credentials, with your own Redshift database cluster credentials):

{
  "username": "<redshift-cluster-user-name>",
  "password": "<redshift-cluster-password>",
  "engine": "redshift",
  "host": "<redshift-cluster-name>.<redshift-cluster-id>.<aws-region>.redshift.amazonaws.com",
  "dbInstanceIdentifier": "<redshift-cluster-name>"
} 

02 Run create-secret command (OSX/Linux/UNIX) using the JSON file with the secret information created at the previous step (i.e. redshift-cluster-credentials.json) as command parameter to create the new Amazon Secrets Manager secret that will store and manage your AWS Redshift database cluster credentials:

aws secretsmanager create-secret
	--region us-east-1
	--name cc-redshift-cluster-credentials
	--description "Provides access to AWS Redshift database cluster"
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
	--secret-string file://redshift-cluster-credentials.json

03 The command output should return the new AWS Secrets Manager secret metadata:

{
    "VersionId": "aaaabbbb-abcd-abcd-abcd-aaaabbbbcccc",
    "Name": "cc-redshift-cluster-credentials",
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-redshift-cluster-credentials-BACABC"
} 

04 Repeat steps no. 1 – 3 to create new Secrets Manager secrets to hold and manage access credentials for other Amazon Redshift database clusters available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Apr 23, 2019