1

I'm working on a Slack app which will have to store access token per each customer using the app (ex. 1000 teams using it = 1000 tokens). Token enables the app to access Slack API for customers workspace and will be used frequently every day.

App will be running on AWS, using Lambda's and DynamoDB.

What would be the best practice to store those access tokens securly?

I cannot find any strict recomendation for this scenario. Was thinking initially to put those in DynamoDB in a dedicated table but thinking now if I should use other AWS services for that use case. I've checked Secrets Manager but looks like a rather expensive option and not sure if it applies to my scenario.

Appreciate any suggestions.

wmatt
  • 695
  • 2
  • 7
  • 19
  • Why are you thinking you shouldn't use any AWS services for this? What other option would there be if your app runs on AWS? The Lambda functions need to access these tokens, correct? What made you think DynamoDB isn't suitable? It's difficult to answer your question if you don't provide the reason a dedicated DymamoDB table won't work, or why you think you shouldn't use AWS at all. – Mark B Feb 06 '21 at 21:10
  • Have you read this? https://aws.amazon.com/blogs/security/how-to-encrypt-and-sign-dynamodb-data-in-your-application/ – Mark B Feb 06 '21 at 21:15
  • @MarkB , thanks, haven't checked this article, will definetly read it. I don't say dedicated DynamoDB won't work, was more asking for a recomendation if this is the way to go or if I should use some other AWS services for this purpose (sorry, the wording in my question could suggest incorrectly that I don't want to use AWS for this purpose at all). – wmatt Feb 06 '21 at 21:41

1 Answers1

2

I would probably use a dedicated DynamoDB table for this purpose. At a minimum, I would configure it to use a KMS CMK to encrypt the data at-rest, and also restrict access to the table through fairly granular IAM permissions in your AWS account. If you also wanted to encrypt each value separately you could look into client-side encryption.

Your findings on the Secrets Manager costs are a good point. You could also look at Systems Manager Parameter Store as an alternative that is generally cheaper than Secrets Manager. Secrets Manager does have the added security of being able to set an IAM resource policy on the secret itself.

Ultimately it's up to you to determine how secure your solution needs to be, and how much you are willing to pay for that. You could even spin up an AWS HSM to encrypt the values, but that would increase the cost by quite a bit.

Mark B
  • 183,023
  • 24
  • 297
  • 295