Enabling Key Rotation on AWS Using AWS Lambda Functions
Private key rotation is just like changing your password; it is something that needs to be done regularly in order to maintain security. For your cloud environment to remain secure, you have to rotate your encryption key periodically, ideally within 30 to 90 days.
If you use AWS Key Management Service (KMS), you can easily create customer-managed keys (CMKs) and then use aliases to make rotating keys easier. KMS itself supports automatic key rotation for CMKs that you manage yourself. These are the encryption keys used to encrypt data.
For most AWS services, the basic rotation function is more than enough. If you want to rotate secrets for your databases and services running in containers, however, you have to add an additional Lambda rotation function to automate the task.
Many of the services in AWS use KMS for encryption. The below image shows the KMS console.
Understanding Key Rotation
Before we get to the Lambda function for automating KMS key rotation, there is one important thing about key rotation that needs to be understood. When a key is rotated, the old key isn’t automatically discarded, and old files are not re-encrypted. The system simply switches to the new key for encrypting new files but keeps the old key(s) for handling older files.
The automatic key rotation function built into AWS KMS supports a number of main functionalities, including:
- Management of discarded CMKs, which automates the deletion of CMKs. Before customer master keys are deleted, they are put in pending deletion group and will no longer be rotated in the next cycle.
- Automatic rotation of AWS-managed CMKs, which takes the worry off of rotating keys for services and keys that are natively managed by Amazon. You only need to worry about keys that you create and manage yourself.
- Key rotation monitoring, which incorporates KMS CMK Rotation event as a logging mechanism. You can use Amazon CloudWatch Events to monitor key rotations and other similar activities from within KMS.
- Backing key management, which adds an extra layer of protection. CMKs serve as aliases, which means they add an extra layer of protection to the original backing keys behind them. Backing keys are used to encrypt and decrypt files.
Key rotation is still a crucial part of cloud security. With the need for better data encryption now growing, adding automation key rotation is how you make sure that the entire cloud ecosystem remains secured. One thing to note: rotating keys does not mean blocking access to files that are already compromised.
Step-by-Step Guide to Configuring Key Rotation
Here is a step-by-step process with images to demonstrate how Ibexlabs create customer keys that can be managed by the customer.
Select the ‘Create key’ option then the following prompt is opened. There are two types of keys.
- Symmetric Keys
- Asymmetric Keys
- Symmetric Keys: A symmetric key is a type used for both encryption and decryption. (Key rotation can only be enabled for Symmetric keys.)
- Asymmetric Keys: An asymmetric key is a type where one public key and one private key are used for encryption and decryption.
Select the symmetric key option above and the below prompt will appear. Fill the fields with the required information, in the example below we’ve entred details purely for these demo purposes. Add tags if required.
The next step is to configure key administrative permissions such as kms:create,kms:describe.
Following on we now need to set key usage permissions, e.g., kms:GrantIsForAWSResource condition key allows users to create and manage grants, but only when the grantee is an AWS service. The permission allows key users to use all of the integrated services that use grants.
Next, we set the key policy, and then, finally, the key is created.
By default, key rotation is disabled. To enable it we have to go through the following steps.
- Select the key that has been created.
- Find the key rotation then select it.
- Check the box then the key rotation is enabled.
For one or two keys we can do this manually. For multiple keys, we can automate the process by assigning a Lambda function.
Rotating Keys with Lambda Functions
As mentioned before, you can rotate keys for databases and services running in containers – meaning services that are not native to the AWS ecosystem – by utilizing Lambda for execution. Before you can get started, you have to make sure that the Lambda function can communicate with your databases and services, either by configuring it to run in the same instance or VPC, or by configuring the security policy of the EC2 instance to allow Lambda to communicate with services.
You also have to make sure that the Lambda functions can communicate with Secrets Manager to enable rotation. The best way to do this is by configuring the VPC running your Lambda functions to be compatible with a private Secrets Manager service endpoint. If the VPC has a forward-facing gateway, public endpoints of Secrets Manager can be utilized as well.
Once communications between the Lambda function and your service, and the Lambda function and the Secrets Manager have been established, there are two ways to enable automatic key rotation using the Lambda function. The first one is by configuring the setup using the AWS Management Console.
This is the easier way of the two since you only need to choose the Secret name that you want to rotate and then select Configure Automatic Rotation to get started. Every other part of the process is GUI-based and does not require special settings.
You can then choose an AWS Lambda function to complete the process. As long as you have the Lambda function created and registered, you can select it from the dropdown and complete the process. Make sure ListSecrets, DescribeSecrets, and RotateSecrets are enabled in permissions. Use the Ibexlabs code shared here to facilitate this process.
And that’s all there is to it! Regardless of your services or databases, you can now rotate their CMKs and secrets using Lambda functions. That’s one less thing to worry about when it comes to managing your cloud security.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.