AWS prescriptive-guidance documentation change
Summary
Added detailed configuration guides for AWS Secrets Manager and Parameter Store in .NET applications, including prerequisites, code examples, and notes about avoiding hardcoded values.
Security assessment
The change adds documentation about using AWS Secrets Manager and Parameter Store to securely manage secrets instead of storing them in configuration files. This prevents accidental exposure of secrets in public repositories but does not address a specific security vulnerability.
Diff
diff --git a/prescriptive-guidance/latest/modernization-net-applications-security/secrets.md b/prescriptive-guidance/latest/modernization-net-applications-security/secrets.md index e92998530..13c04dc2e 100644 --- a//prescriptive-guidance/latest/modernization-net-applications-security/secrets.md +++ b//prescriptive-guidance/latest/modernization-net-applications-security/secrets.md @@ -5 +5,3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Security best practices for modernizing .NET Framework applications on AWS](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Security best practices for modernizing .NET Framework applications on AWS](introduction.html) + +Configuring AWS Secrets ManagerConfiguring Parameter Store @@ -9 +11,148 @@ -When you develop applications by using .NET, you need to store secrets such as application ID, application secret, and database connection strings. These secrets and connection strings are stored in `appsettings.json` or `web.config`. Developers typically add these configuration files to a public repository, which increases the risk of a security breach. You can mitigate this risk by using AWS Secrets Manager and Parameter Store, which help you securely store and retrieve these values for your application. The following sections explain how you can configure Secrets Manager and Parameter Store for your .NET Framework applications. +When you develop applications by using .NET, you need to store secrets such as application ID, application secret, and database connection strings. These secrets and connection strings are stored in appsettings.json or web.config. Developers typically add these configuration files to a public repository, which increases the risk of a security breach. You can mitigate this risk by using AWS Secrets Manager and Parameter Store, which help you securely store and retrieve these values for your application. The following sections explain how you can configure Secrets Manager and Parameter Store for your .NET Framework applications. + +## Configuring AWS Secrets Manager + +AWS Secrets Manager helps you protect the secrets that you need to access your applications, services, and IT resources. The service securely stores, manages, encrypts, and rotates database credentials, API keys, and other secrets, including OAuth tokens, and provides native integration with Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon DocumentDB. Users and applications retrieve secrets by calling Secrets Manager APIs, which eliminates the need to hardcode sensitive information in plaintext. Secrets Manager includes fine-grained access control permissions and provides a centralized location to audit secrets rotation in AWS Cloud, on-premises, and third-party environments. + +**Prerequisites for using Secrets Manager with .NET Framework applications** + + * An active AWS account + + * [Microsoft Visual Studio](https://visualstudio.microsoft.com/downloads/), installed + + * AWS Command Line Interface (AWS CLI) version 2, installed and configured to access your AWS account (see [instructions](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)) + + * AWS Toolkit for Visual Studio, configured (see [instructions](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/setup.html)) + + * A secret, created and retrieved by using the Secrets Manager console or the AWS CLI (see [instructions](https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets.html)) + + + + +**Example** + +To access secrets from Secrets Manager in the ASP.NET Core web API (.NET 6): + + 1. Add the following NuGet package to the ASP.NET Core web API. + + AWSSDK.SecretsManager.Caching + + 2. In the Program.csfile, make the following changes. + + * Add the Amazon.SecretsManager namespace (1). + + using Amazon.SecretsManager; + + * Register the service (2). + + builder.Services.AddScoped<IAmazonSecretsManager>(x => + new AmazonSecretsManagerClient(RegionEndpoint.EUWest2) + ); + + + + 3. To retrieve the secrets from Secrets Manager, make the following changes to the controller class file (for example, ValuesController.cs). + + * Add the constructor (1): + + private readonly IAmazonSecretsManager _secretsManager; + + public SecretsController(IAmazonSecretsManager secretsManager) + { + _secretsManager = secretsManager; + } + + * Implement the GetSecretmethod (2): + + string secretName = "arn:aws:secretsmanager:eu-west-2:111122223333:secret:dev/myapp/tenant-gSj6qd"; + GetSecretValueRequest request = new GetSecretValueRequest(); + request.SecretId = secretName; + request.VersionStage = "AWSCURRENT"; + Task<GetSecretValueResponse> response = _secretsManager.GetSecretValueAsync(request); + return Ok(new { Secret = response.Result.SecretString }); + +where _111122223333_ refers to the account ID. + + + + + + +###### Note + +secretName refers to the name or Amazon Resource Name (ARN) of the secret. After a secret is created, this value can be retrieved from the Secrets Manager console. You should call secretName dynamically or from environment variables. Do not hardcode this value in production environments. + +## Configuring Parameter Store + +Parameter Store is a capability of AWS Systems Manager. It provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. + +**Prerequisites for using Parameter Store with .NET Framework applications** + + * An active AWS account + + * [Microsoft Visual Studio](https://visualstudio.microsoft.com/downloads/), installed + + * AWS Command Line Interface (AWS CLI) version 2, installed and configured to access your AWS account (see [instructions](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)) + + * AWS Toolkit for Visual Studio, configured (see [instructions](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/setup.html)) + + * A Systems Manager parameter, created by using the [Secrets Manager console](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html) or the [AWS CLI](https://docs.aws.amazon.com/systems-manager/latest/userguide/param-create-cli.html) + + + + +**Example** + +To retrieve values from Parameter Store in ASP.NET Core web applications or API: + + 1. Add the following NuGet package to the ASP.NET Core web API. + + Amazon.Extensions.Configuration.SystemsManager + + 2. In the Program.cs file, make the following changes. + + * Add usingstatements (1). + + using Amazon; + using Amazon.Extensions.NETCore.Setup; + + * Add the AWS Systems Manager configuration (2). + + builder.Configuration.AddSystemsManager("/dev/myapp", new AWSOptions + { + Region = RegionEndpoint.EUWest2 + }); + + + + * Note: You should call the /myapp/dev and RegionEndPoint parameters dynamically or from the environment variables (Region = RegionEndpoint.GetBySystemName("eu-west-2")). Do not hardcode these values in production environments. + + 3. Create a new class file and name it ParameterOptions.cs. Open the file and add the following code. + + public class ParameterOptions + { + public const string ParameterName = "Tenant"; + public string key1 { get; set; } = string.Empty; + public string key2 { get; set; } = string.Empty; + } + + 4. To retrieve the values from Parameter Store, make the following changes to the controller class file (for example, ValuesController.cs). + + * Add the constructor (1): + + private readonly IConfiguration _configuration; + public ParametersController(IConfiguration configuration) + { + _configuration = configuration; + } + + * Retrieve the values from Parameter Store (2): + + var parameterOptions = new ParameterOptions(); _configuration.GetSection(ParameterOptions.ParameterName).Bind(parameterOptions); + return new string[] { + parameterOptions.key1, + parameterOptions.key2 + + + +**Resources** @@ -11 +160 @@ When you develop applications by using .NET, you need to store secrets such as a -###### Topics + * [ AWS Secrets Manager Rotation Lambda Functions](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas) (GitHub repository) @@ -13 +162 @@ When you develop applications by using .NET, you need to store secrets such as a - * [Configuring AWS Secrets Manager](./configure-asm.html) + * [AWS .NET Configuration Extension for Systems Manager, Samples folder](https://github.com/aws/aws-dotnet-extensions-configuration/tree/master/samples/Samples) (GitHub repository) @@ -15 +164 @@ When you develop applications by using .NET, you need to store secrets such as a - * [Configuring Parameter Store](./configure-store.html) + * [How to use AWS Secrets Manager client-side caching in .NET](https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-client-side-caching-in-dotnet/) (AWS Security blog) @@ -28 +177 @@ Application logging -Configuring AWS Secrets Manager +Application-level health checks