AWS Vault

Learn via video courses

Overview

AWS-Vault is a security tool for storing as well as accessing AWS credentials in a development environment. Users can easily get started with AWS-Vault, by storing the user's IAM credentials in the operating system's secure keystore. Users can anytime access the key-value store and instantly generate the AWS Security Token Service (AWS STS) credentials along with the AWS Identity and Access Management (IAM). With AWS-Vault the need for a static, hardcoded usually an unsafe way of storing your credentials is avoided via its trusted identities for centralizing the passwords as well as the control access. It helps to encrypt sensitive data both at rest as well in transit. It can leverage this via its centrally managed along with secured encryption keys. All of this is through a single workflow or an API.

What is AWS Vault?

Highlighting the concern below concerning securing the AWS credentials along with complying with the AWS Security Credentials Best Practices is what led to the creation of AWS-Vaults:

  • Concern that the IAM credentials should always be secured and prevent exposure to third-party code.
  • All operations must always generate their temporary security credentials.
  • Practically, every sign-in should require MFA usage as frequently as possible.
  • Maintaining user experience highly secured offering them to store the credentials.

All these concerns in mind are what lead to the development of AWS-Vault. We define AWS-Vault as a security tool for storing as well as accessing the AWS credentials in a development environment. AWS-Vault can be easily implemented allowing you to store the user's IAM credentials in the operating system's secure Keystore. From there it generates a temporary credential from a long-lived user credential to let them utilize it in the shell as well as for applications.

While we know of some of the popular already existing AWS CLI tools, the AWS-Vault was so designed to be complementing those tools and not as a substitute. The AWS-Vault is also capable of being aware of the user's profiles along with its various configurations. A dedicated Keychain for AWS credentials and Keychain helps the users to prompt the credentials when accessed as a default mechanism.

AWS-Vault holds the capacity to generate short-lived session-based credentials which encourage the users to utilize it for running other applications, restricting the process of exporting credentials to the development environment. As compared with retrieving the user credentials via the node.js packages that are usually limited to the lifetime of the session ( which makes it unsafe ), AWS-Vault is beyond this strong storage-at-rest, preventing the user from the risky measure to store the credentials.

With AWS-Vault the need for a static, hardcoded usually an unsafe way of storing your credentials is avoided via its trusted identities for centralizing the passwords as well as the control access. It helps to encrypt sensitive data both at rest as well in transit. It can leverage this via its centrally managed along with secured encryption keys. All of this is through a single workflow or an API.

How to Use AWS Vault?

As we now know that AWS-Vault is used for storing and accessing the AWS credentials in their local development and operational environments We shall now learn how we can implement and use it t leverage the security it offers.

  • We start by downloading the latest release of the AWS-Vault.
  • To make the file workable you might also need to modify the file’s permissions, which makes the file executable.
  • Then you could also rename the executable file to something like “aws-vault”. While you do this please make sure that the file is securely placed in the path.
  • For displaying all the usage formats, or listing all the flags, as well as listing down the commands, you could make use of any of the following commands:
  • For storing the AWS credentials for usage, you could use the below command. You could also create multiple profiles with the command repeatedly.
  • Now you shall see three prompts:
    • First two would be for the Access Key ID and Secret Key that are linked with the AWS account.
    • Lastly seen would be the passphrase that you create. Here you need to enter the passphrase every time the command is executed via the temporary credentials. Below is the Linux variation of the workflow:
  • For the execution of the AWS command via the temporary credentials, you can also make use of the command below:
  • For listing all the profiles along with the credentials that you had added in the AWS-Vault, the commands that could be used are as below:
    ProfileCredentialsSessions
    <profile_1><profile_1>9874563210
    <profile_2><profile_2>
  • For removing the AWS credentials linked with a profile, the commands that could be used are as below:
  • For removing any existing sessions that are typically managed by aws-vault, the commands that could be used are as below which have the –session-only flag.

Quick Note:
When you are removing any profile it's seen that the above command only removes the credentials linked with a profile. This being sad you will still be able to see the profile name listed even after removing the credentials.

Main Features of AWS Vault

The key features offered by AWS-Vault are listed below:

  • Easy to install and simple to integrate with day-to-day usage.
  • Various known vaulting backends are supported such as macOS Keychain, Secret Service (Gnome Keyring, KWallet), and Windows Credential Manager.
  • Pass, KWallet, along with the Encrypted file are supported.
  • For generating the temporary credentials, makes use of Amazon's STS service.
  • AWS Vault then exposes the temporary credentials to the sub-process
  • Various topics like usage, config, as well as relevant tips and tricks are made available on the link to the GitHub page in the USAGE.md file section.

Quick Note:
Pass is a CLI-friendly password store, which saves the credential in primarily two files, aws-access-key-id and AWS-secret-access-key, which are further encrypted as gpg. While KWallet is another such password management tool that is widely used for collecting passwords as well as storing them in an encrypted file.

Pass works like below:

AWS Vault Use Cases

As we studied that we can simply implement the AWS-Vault for securely storing as well as accessing the AWS credentials in a development environment. To gain a better understanding of how we can integrate the AWS-Vault, listed below are a few of the use cases served by AWS-Vault:

  1. AWS Backend:
    While working with the development environment, usage related to generating and accessing the dynamic temporary AWS Identity and Access Management (IAM) access keys becomes important. AWS IAM offers granular access to the AWS account depending upon the user as well as the group. Creation of AWS IAM policy is easier which helps in restricting the access to defined AWS resources if any. With that being said, as the presence of the AWS IAM credentials in the configuration file exposes a security risk, with AWS-Vault you can create and generate dynamic AWS IAM credentials with a defined lease period. This way the application becomes flexible enough to revoke the credentials after its usage or you can also ask AWS-Vault to delete the IAM credential automatically once the lease period terminates.

  2. MySql Secret Access:
    With AWS-Vault you could create the MySql-specific role-based secrets dynamically. While with the “read-only” role, you could only read the MySql database entries whereas with the “super-user” role you can read as well as modify the MySql database entries. All the credentials generated are guarded under the lease period which when terminates the credential gets destroyed. You can implement various authentication backends such as Token, userpass, Github as well as Approle for achieving a similar goal of dynamically generating MySQL credentials.

  3. Passing secrets to the Container:
    By implementing the various environment variables offered, you can pass the secret tokens to the Container. While it is not a secure approach as the entire environment variables get logged which leads to its exposure to malicious users. AWS-Vault offers a new backend service to tackle this issue, popularly known as the Cubbyhole.

Why Use AWS Vault?

We studied the AWS-Vault so far, but one question which you might be wondering is why we need to use the AWS-Vault for storing any credentials.

To answer that, with the AWS-Vault the AWS Secret Access Key, and Access Key Id, the users can be sure that the security is maintained inside the configuration file of the project. The users could also leverage the freedom for creating various profiles with different aws tokens.

By systematically following the security best practices, an AWS organization comprises various accounts be it development, staging, testing, or production workloads, along with various accounts primarily for security monitoring, shared infrastructure, etc. All these IAM user accounts for the team are currently managed by the “root” account of the organization while recommended is to have a separate account for each. Depending upon the team and its functions, every team member has permission to utilize, or “assume”, the IAM roles across accounts. This sometimes might get complicated but with the implementation of the AWS-Vault command line tool, it gets much easier to quickly switch between various accounts and roles, while maintaining the security of the main AWS access key aligned.

Installation:

With compatibility across macOS, Windows, and Linux, aws-vault works well with all where you can simply get started by installing the aws-vault using various options as below:

  • on macOS with Homebrew Cask: brew install --cask aws-vault
  • on macOS with MacPorts: port install aws-vault
  • on Windows with Chocolatey: choco install aws-vault
  • on Windows with Scoop: scoop install aws-vault
  • on Linux with Homebrew on Linux: brew install aws-vault
  • on Arch Linux: pacman -S aws-vault
  • on Gentoo Linux: emerge --ask app-admin/aws-vault (enable Guru first)
  • on FreeBSD: pkg install aws-vault
  • on OpenSUSE: enable devel:languages:go repo then zypper install aws-vault
  • with Nix: nix-env -i aws-vault
  • with asdf-vm: asdf plugin-add aws-vault

Adding AWS access key/secret key:

For adding the AWS access key and secret key to the AWS IAM user to the Aws-Vault, you just need to use aws-vault add which helps to easily add the access key and secret key while defining the name of the profile where the key belongs.

The below command helps to Store AWS credentials for the "sample" profile

The access key gets securely stored in the OS’ secure Keystore, such as the macOS Keychain, or the Windows Credential Manager.

Security using MFA:

You can also leverage the MFA, popularly known as multi-factor authentication (MFA) for securing the IAM user accounts which are also considered an important security measure. It's recommended to configure the MFA serial in the AWS config (~/.aws/config) for making sure that the virtual MFA token gets utilized while you implement the AWS-Vault and assume the IAM role to it. For this, you need to add the account ID in the MFA serial similar to the root account.

Below are a few of the configurations using roles and MFA:

The default configuration uses roles and MFA where you just specify the region:

For configuration using MFA for specific profiles:

For configuration for roles as read-only for a specific profile:

For configuration for roles for admin for a specific profile:

For configuration for roles as role1 for a specific profile:

For configuration for roles as role2 which is read-only for a specific profile:

Below are the common commands according to the credentials:

CredentialsCommandMFACached
role + roleaws-vault exec sample2-role2 --no-sessionYesrole
roleaws-vault exec sample-readonlyNoNo
session-token + role + roleaws-vault exec sample2-role2Yessession-token
roleaws-vault exec sample-admin --duration=2hYesrole
long-term credentialsaws-vault exec test --no-sessionNoNo
session-token + roleaws-vault exec sample-adminYessession-token
session-tokenaws-vault exec testYessession-token

For more information, you could visit the GitHub link: AWS_Vault

Conclusion

  • AWS-Vault is a security tool for storing as well as accessing AWS credentials in a development environment. This can be implemented by storing the user's IAM credentials in the operating system's secure Keystore. It then generates a temporary credential from long-lived user credentials to let them utilize it in the shell and applications.
  • Keeping in mind the existing AWS CLI tools, the AWS-Vault was so designed to be complementing it. AWS-Vault is also aware of the user's profiles along with the various configuration in ~/.aws/config.
  • With the AWS-Vault the AWS Secret Access Key and Access Key Id, the users can be sure that the security is maintained inside the configuration file of the project. The users could also leverage the freedom for creating various profiles with different aws tokens.
  • For the execution of the AWS command via the temporary credentials, you can also make use of the command below:
  • For listing all the profiles along with the credentials that you had added in the AWS-Vault, the commands that could be used are as below: