Secrets Management in CloudFormation

2 min read Infrastructure & DevOps Security

Secrets Management in CloudFormation

AWS Systems Manager Parameter Store integration provides secure parameter storage for CloudFormation templates. Parameters can be encrypted using AWS KMS, with access controlled through IAM policies. Dynamic parameter references retrieve values at deployment time, ensuring templates never contain sensitive data.

AWS Secrets Manager offers advanced secret management capabilities including automatic rotation, cross-region replication, and fine-grained access controls. CloudFormation's native integration with Secrets Manager enables templates to create and reference secrets securely. Automatic password generation eliminates the need for humans to create or know infrastructure passwords.

# Advanced secrets management patterns
Resources:
  # Rotating secret for application
  ApplicationSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: Application API credentials
      GenerateSecretString:
        SecretStringTemplate: !Sub |
          {
            "username": "${ApplicationUsername}",
            "apiEndpoint": "https://api.example.com"
          }
        GenerateStringKey: 'apikey'
        PasswordLength: 64
        ExcludeCharacters: '"@/\'
      RotationRules:
        AutomaticallyAfterDays: 30
      RotationLambdaARN: !GetAtt SecretRotationLambda.Arn
      
  # Lambda function for secret rotation
  SecretRotationLambda:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub '${AWS::StackName}-secret-rotation'
      Runtime: python3.9
      Handler: index.handler
      Role: !GetAtt RotationLambdaRole.Arn
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT: !Sub 'https://secretsmanager.${AWS::Region}.amazonaws.com'
      Code:
        ZipFile: |
          import boto3
          import json
          
          def handler(event, context):
              service_client = boto3.client('secretsmanager')
              arn = event['SecretId']
              token = event['ClientRequestToken']
              step = event['Step']
              
              if step == "createSecret":
                  create_secret(service_client, arn, token)
              elif step == "setSecret":
                  set_secret(service_client, arn, token)
              elif step == "testSecret":
                  test_secret(service_client, arn, token)
              elif step == "finishSecret":
                  finish_secret(service_client, arn, token)
                  
          # Implementation of rotation steps...