- Newest
- Most votes
- Most comments
Hi,
On your questions:
-
yes, you can structure the secret that you need with the JSON format that you present: it would be very close to what for example RDS does with its own secrets: create one and decode it with decryptSecret API to see how they look like
-
It may be interesting to keep 1 distinct secret for each client (if costs allow) to better respect the "least privilege" security best practice. Some of your service features may not need to know all secrets at once. In the future, it may be interesting to give access to some of the secrets to only some of the features. Also, from a hacking perspective (which I don't wish you), you'll be safer if your secrets are isolated: a hacker would have to decrypt each of them separately. It will be harder than just decrypting 1 secret to obtain all information about all customers.
Best,
Didier
Relevant content
- Accepted Answer
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
Thank you! We will keep this in mind.
Hi spy16, glad that it helped. Thanks for accepting my answer.