How to manage Asymmetric (Public/Private) Keys in AWS

Question

I need to develop a solution to store both symmetric and asymmetric keys securely in AWS. These keys will be used by applications that are running on EC2s and Lambdas. The applications will need to be set up with policies that will allow the application or lambda to pull the keys out of the key store. The key store should also manage the key expiry, notifying various people when keys are going to expire. The initial key exchange is between my company and its partners meaning that we may have either a public or private key for a key pair depending upon the data transfer direction.

We have looked at KMS but from what I have seen KMS does not support asymmetric keys. I have also seen online that some people are using either S3 (protected by KMS) or parameter store to store the keys but this does not address the issue of key management.

Do you guys have any thoughts on this? or even SaaS/PaaS suggestions?

Coming back to this a year later, at the time we implemented Vault. It's expensive but really useful in maintaining lifecycles of rotating Keys — Joshy, Sep 06 '19 at 00:28

Viccari · Accepted Answer · 2018-11-03T18:01:57.290

3

My recommendation would be to use AWS Secrets Manager for this. Secrets Manager allows you to store any type of credential/key, you can set up fine-grained cross account permissions to secrets, encryption at rest is used (via KMS), and secrets can be automatically rotated (by providing an expiration time and an AWS Lambda function owned by you to perform the rotation).

More details on the official docs:

edited Nov 03 '18 at 18:01

answered Nov 02 '18 at 15:34

Viccari

9,029
4
43
77

1

"Secrets Manager allows you to store any type of credential/key" - Are you sure about this? I can't find a way to store an actual Key, merely just a string like a password – Wayneio Apr 08 '19 at 12:46
1

The [CreateSecret API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) allows you to specify either String or Binary values for the secret. But even if it didn't you could always Base64-encode your key and store it as a String. – Viccari Apr 08 '19 at 16:00
Out of curiosity is this a good idea from a security point of view? @Viccari – SSF Aug 08 '19 at 09:38
As log as you have a crisp story on credentials expiration and rotation, and access control via secrets policies is tightened up, yes, this is a great idea from the security standpoint. It is very superior to managing keys yourself. – Viccari Aug 08 '19 at 15:30

How to manage Asymmetric (Public/Private) Keys in AWS

1 Answers1