Securing User-Specific Secrets in AWS

Question

Hello,

We're in the process of designing a secure multi-tenant system where each user's secrets (like third-party app tokens) need to be stored in a manner where even our internal team cannot directly access them. We're utilizing AWS and considering Secrets Manager in tandem with Cognito for this purpose.

The idea is that while our application should be able to fetch and use the secrets on behalf of the user during their active session (for example, to interact with third-party apps), we want to ensure that these secrets are inaccessible directly by our team. Moreover, even if someone gains unauthorized access to our application's data, the user secrets should remain secure.

Can you advise on the best architecture or practices to achieve this objective within the AWS ecosystem, considering Cognito and Secrets Manager, or suggest alternate AWS services/methodologies that might be better suited?

Thank you!

Answer

Hi,

What you need in the use case that you describe are transient credentials. That is exactly what IAM roles are for.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

To ensure what you want, you have to:

1.  have the user create his secret(s) under Secrets Manager and be the owner of them (i.e. sole person able to decode them)
2. when the user identifies to  AWS / application, a role is created with an attached permission policy granting the permission to decode his secrets and with a trust policiy allowing the application execution role to assume this new role
3.  While the user is active, the application can assume the role to be able to decode and use the secrets
4. when the user disconnets, the transient role is deleted. So, from this moment again, he is the only one to be able to access the secrets.

Best,

Didier

Answer

Hi Bhanu, I'm going to get a bit creative with the solution to better address your needs.

Your requirement looks like "every user needs to be able to see and use it's own secrets, and no one else, not even the app administrators"

I think you can achieve this mixing DynamoDB and Encryption mainly. The most straightforward way to achieve this secrecy is to encrypt the secrets using the user password and store them in DynamoDB. Your application would request the user password, you would retrieve the secrets from DynamoDB (encrypted) and then use the user pw to decrypt them. Then you would store the decrypted secrets in some session storage. Depending your implementation this may be a hassle, but you could also leverage encryption to help you out here, storing the session data in DynamoDB and using some client-saved secret key passed in each request to decrypt and use said session data.
You also need to implement that whenever the user change their password (you could just expire their stored secrets, or decrypt and re-encrypt). A "I forgot my password" would necessarily invalidate them as well, unless you device some other method.

This is just a general idea on how to approach your solution, I hope it helps for brainstorming!

Lastly, if you have access to an AWS Solution Architect it would be ideal to run this project by him to help you design your solution!

Securing User-Specific Secrets in AWS

관련 콘텐츠