I want to use AWS Secrets Manager for storing secrets for RDS in a web application. AWS provides AWSSDK.SecretsManager.Caching library to improve performance and reduce the costs. I'm having second thoughts about it. In the perfect world, secrets live in memory only when I need them. On the other hand, with a cache, they live always. Are data in the cache (AWSSDK.SecretsManager.Caching) encrypted? Does the cache lower security in practice? Is manual implementation with
System.Security.SecureString a better solution? Thanks for any feedback.
You can add a custom extension to the cache and this extension can encrypt/decrypt data in memory. In order to do this, you have to implement ISecretCacheHook interface:
public class SecretCacheHook : ISecretCacheHook
{
private readonly IEncryptionProvider _encryptionProvider;
public SecretCacheHook(IEncryptionProvider encryptionProvider)
{
_encryptionProvider = encryptionProvider;
}
public object Get(object obj)
{
return _encryptionProvider.Decrypt(obj);
}
public object Put(object obj)
{
return _encryptionProvider.Encrypt(obj);
}
}
and pass the object to the cache configuration:
var secretsManagerCache = new SecretsManagerCache(
new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(region)),
new SecretCacheConfiguration
{
CacheHook = new SecretCacheHook(new EncryptionProvider())
});
You can read more about on AWS blog.