Private key rotation is just like changing your password; it is something that needs to be done regularly in order to maintain security. For your cloud environment to remain secure, you have to rotate your encryption key periodically, ideally within 30 to 90 days.
If you use AWS Key Management Service (KMS), you can easily create customer-managed keys (CMKs) and then use aliases to make rotating keys easier. KMS itself supports automatic key rotation for CMKs that you manage yourself. These are the encryption keys used to encrypt data.
For most AWS services, the basic rotation function is more than enough. If you want to rotate secrets for your databases and services running in containers, however, you have to add an additional Lambda rotation function to automate the task.
Many of the services in AWS use KMS for encryption. The below image shows the KMS console.
Before we get to the Lambda function for automating KMS key rotation, there is one important thing about key rotation that needs to be understood. When a key is rotated, the old key isn’t automatically discarded, and old files are not re-encrypted. The system simply switches to the new key for encrypting new files but keeps the old key(s) for handling older files.
The automatic key rotation function built into AWS KMS supports a number of main functionalities, including:
Key rotation is still a crucial part of cloud security. With the need for better data encryption now growing, adding automation key rotation is how you make sure that the entire cloud ecosystem remains secured. One thing to note: rotating keys does not mean blocking access to files that are already compromised.
Here is a step-by-step process with images to demonstrate how Ibexlabs create customer keys that can be managed by the customer.
Select the ‘Create key’ option then the following prompt is opened. There are two types of keys.
Select the symmetric key option above and the below prompt will appear. Fill the fields with the required information, in the example below we’ve entred details purely for these demo purposes. Add tags if required.
The next step is to configure key administrative permissions such as kms:create,kms:describe.
Following on we now need to set key usage permissions, e.g., kms:GrantIsForAWSResource condition key allows users to create and manage grants, but only when the grantee is an AWS service. The permission allows key users to use all of the integrated services that use grants.
Next, we set the key policy, and then, finally, the key is created.
By default, key rotation is disabled. To enable it we have to go through the following steps.
For one or two keys we can do this manually. For multiple keys, we can automate the process by assigning a Lambda function.
As mentioned before, you can rotate keys for databases and services running in containers – meaning services that are not native to the AWS ecosystem – by utilizing Lambda for execution. Before you can get started, you have to make sure that the Lambda function can communicate with your databases and services, either by configuring it to run in the same instance or VPC, or by configuring the security policy of the EC2 instance to allow Lambda to communicate with services.
You also have to make sure that the Lambda functions can communicate with Secrets Manager to enable rotation. The best way to do this is by configuring the VPC running your Lambda functions to be compatible with a private Secrets Manager service endpoint. If the VPC has a forward-facing gateway, public endpoints of Secrets Manager can be utilized as well.
Once communications between the Lambda function and your service, and the Lambda function and the Secrets Manager have been established, there are two ways to enable automatic key rotation using the Lambda function. The first one is by configuring the setup using the AWS Management Console.
This is the easier way of the two since you only need to choose the Secret name that you want to rotate and then select Configure Automatic Rotation to get started. Every other part of the process is GUI-based and does not require special settings.
You can then choose an AWS Lambda function to complete the process. As long as you have the Lambda function created and registered, you can select it from the dropdown and complete the process. Make sure ListSecrets, DescribeSecrets, and RotateSecrets are enabled in permissions. Use the Ibexlabs code shared here to facilitate this process.
And that’s all there is to it! Regardless of your services or databases, you can now rotate their CMKs and secrets using Lambda functions. That’s one less thing to worry about when it comes to managing your cloud security.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.
Santosh Peddada is a Solution Architect with Ibexlabs. He has been in the IT industry for around 7 years, holding positions from Devops Engineer to Solution Architect. For the past two years, he has been an integral part of the design and development of AWS architecture for clients. He has served as the product owner for the Ibex Catalog, and provided solutions for a number of different industries.
