Security

You have a bunch of code to commit for your Docker image so that you can update your app that runs in Amazon EKS. STOP! First scan your source code with CodeQL before you commit and push!

Photo by Muhammad Zaqy Al Fattah on Unsplash

The Solution

In this tutorial, we’ll go over scanning C# source code for vulnerabilities in a development environment using the CodeQL CLI.

Remember, for any example solution from AWS with .NET, we focus on the code that exemplifies the problem we are trying to solve. We don’t include logging, input validation, exception handling, etc., and we embed the configuration data within classes instead of using environment variables, configuration files, key/value stores and the like. These items should not be skipped for proper solutions.

“From the Mailbag” gives us at AWS w/ .NET the opportunity to answer questions from our users. Got a question for us? Ask us here.

Photo by Joanna Kosinska on Unsplash

Question

The company that I work for is heavily invested in AWS Systems Manager Parameter Store. But, I have been reading up on AWS Secrets Manager and I’m confused on what the difference is?

Response

AWS Systems Manager Parameter Store is a cost effective configuration store as there isn’t a charge for standard parameters. Parameter Store supports the storage of common configuration data like a URL and also data that’s more complex like a list of strings. But, AWS Systems Manager Parameter Store also supports more sensitive configuration data like secrets, passwords and tokens.

There’s a lot that goes into cryptographic key management – creation, rotation, expiry, replacement, revocation, etc. AWS Key Management Service performs all of the aforementioned operations, but also seamlessly integrates with many AWS services, like, S3, SNS, SQS, et. al. Simply put, key management is hard and AWS Key Management Service can greatly simplify your cryptography story.

As much as AWS KMS can simplify cryptographic key management for your organization, there are some gotchas that you should be aware of when developing solutions using AWS Key Management Service.

Similar to AWS Systems Manager Parameter Store, AWS Secrets Manager allows for storing, managing, and reclaiming OAuth tokens, database credentials, API keys, and other secrets. However, there are big differences between the two AWS services.

AWS Secrets Manager was created for storing confidential data like passwords and secrets so encryption of the stored data is enabled by default. Where as Parameter Store was created to store confidential data as well as general configuration data, like URIs, UNC network paths, and the like. So, understandably, encryption is optional with AWS Systems Manager Parameter Store. Additionally, AWS Secrets Manager features automated key rotation and direct integration with services like RDS, Redshift, and DocumentDB.

Get all the code on GitHub.

Let’s be honest, cryptography can be a dense and intimidating topic for most. When contemplating your cryptography strategy, there are so many questions that need to be answered: symmetric or asymmetric encryption? Which algorithm should you use? What will the key management story be? etc. – etc….

Utilizing a key management service like AWS Key Management Service (or KMS) is a great way to simplify your cryptography strategy. AWS KMS supports customer managed keys as well as keys managed by AWS, key rotation, symmetric or asymmetric encryption, et. al.