Effective password management in source code: Secure solutions with sops and AWS KMS

About the customer:

Our customer, specialized in developing applications for processing sensitive data, attaches great importance to security, especially when managing passwords in their source codes. The customer was looking for efficient and reliable solutions to ensure that sensitive information was protected while ensuring smooth operations.

Challenge:

The new solution is being developed with a focus on AWS Serverless Services. Users gain access to the web frontend via centralized user management provided by AWS Cognito in combination with SSO and Azure AD. Deployment takes place via ECS Fargate and NEXT JS, the content is stored in S3. Lambda functions serve as an interface to external data sources, S3 and the Aurora Serverless RDS database.

Solution:

To address this challenge, our customer decided to implement sops (Secrets Operator) in combination with AWS Key Management Service (KMS). Sops is an open source tool that simplifies file encryption,¹ while AWS's KMS enables secure management of encryption keys.

The process began with creating an IAM user and a KMS key in the customer's existing AWS account. Sops was then installed and configured to work with the KMS key.

Once users and keys were set up, our customer was able to encrypt and decrypt password files. The files containing environment variables (.yaml, .env, .json, etc.) were encrypted specifying the KMS key and AWS profile to enable seamless integration with different environments and work profiles.

An example command to encrypt a file is:

Sops -k $SOPS_KMS_ARN –aws-profile myProfile -e -i myFile.env

This approach ensured that the keys remained readable while the passwords were securely encrypted. This allowed the team to securely store sensitive data in source code without compromising security.

Advantages for our customer:

The implementation of sops in conjunction with AWS KMS brought our customer several advantages:

Smooth workflow

Thanks to the seamless integration with AWS and the user-friendly handling of sops, the development process was not affected. The team was able to work efficiently without having to worry about safety concerns.

Flexibility and scalability

The solution can be easily adapted to different use cases and environments and grows with the needs of the company.

Conclusion:

Overall, the successful implementation of sops in conjunction with AWS KMS enabled our customer to securely manage sensitive password files in source code. This solution not only increased security, but also enabled a smooth workflow and offered remarkable flexibility for different use cases and environments. The successful implementation of these measures demonstrates the effectiveness and strategic value that innovative security initiatives bring to software development.