Store and rotate: AWS adds more security to its cloud services

New developments include a management console for sensitive data

Amazon Web Services (AWS) launched a slew of new security tools last week, as reports of data leaks by the company’s misconfigured cloud storage services continue to make headlines.

Aimed at providing users with a better understanding of security, the latest features include AWS Secrets Manager – a one-stop console for both storing and rotating secrets like database credentials, passwords, and API keys.

This is meant to provide convenience to those that would normally adopt different means of secret storage, whether on another cloud server or elsewhere, making the additional security component run entirely on AWS infrastructure.

It also emphasizes the importance of rotating, or changing, secrets – a crucial aspect of system protection that often goes overlooked and can lead to victims falling prey to attackers – a process known as pivoting.

Making the announcement in a blog post, Amazon’s Randall Hunt said: “Imagine that I have an application that takes incoming tweets from Twitter and stores them in an Amazon Aurora database.

“Previously, I would have had to request a username and password from my database administrator and embed those credentials in environment variables or, in my race to production, even in the application itself.

“I would also need to have our social media manager create the Twitter API credentials and figure out how to store those.

Hunt added: “This is a fairly manual process, involving multiple people, that I have to restart every time I want to rotate these credentials.”

Secrets are also encrypted with a KMS key that’s determined by the user, Hunt said.

The cloud computing platform also released AWS Firewall manager, which echoes Secrets Manager’s comprehensive approach, seeking to limit the outdated security policies that may come from outside applications.

AWS also said it would be creating encryption of data in transit for its Elastic File System (EFS) – a cloud service management system which configures different datasets. This means transferring data from EFS can now be encrypted.