1

I have a use case where I want to usecertificate based authentication in AWS Lambda to generate oauth tokens. Currently I am storing the certificates and private keys locally and running it like a normal java application.

However while migrating to AWS Lambda, I need to store these .crt and .key files somewhere in AWS, so that I can use it in AWS Lambda. I have come across some solutions like

1. Storing certs and keys in S3 buckets

2. Storing certs and keys in Secrets Manager

3. Storing them in Amazon Certificate Manager**

Can someone please help with which method is efficient and optimal for storing certs and keys?

ghostrider
  • 2,046
  • 3
  • 23
  • 46

1 Answers1

3

AWS ACM is not a regular secret store which you can query anytime you want to get your secrets back. ACM can only be used through integration with selected services such as load balancers. You can't use it with a lambda function.

Your only choices are AWS Secret Manager and SSM Parameter Store. SSM Parameter Store is free, but AWS Secret Manager has some extra features such as automated rotation of secrets.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Just realised one thing, we are going to provision the secrets manager using terraform. All .tf files would be in our bitbucket repo. Since these secret manager.tf files will contain the actual cert and key values, wouldn't it be a security risk to have them in the repo? Anyone with repo access will be able to actually access these values right? – ghostrider Feb 12 '22 at 12:49
  • @ghostrider the same way you will have permissions in AWS for who can access those secrets, is the same way your repo should have. BUT I prefer not to have any secret stuff in the actual .tf file if it will show up in Cloudformation logs in plain text. – Given Mar 02 '22 at 09:23