I've recently used the PHP SDK to test some operations under the SecretsManager service. Everything works fine. However, I needed to ensure the information sent in using the createSecret operation was safe from any third-party threats.
So I did a small investigation to view the request's body contents. I was able to view this content under StreamRequestPayloadMiddleware.php.
After modifying it by using json_decode to view the request's contents, I came across this:
array(4) {
["Name"]=> string(9) "demo/Test"
["SecretString"]=> string(39) "{"username":"Tom","password":"Test123"}"
["KmsKeyId"]=> string(xx) "arn:aws:kms:xx-xxxx-x:xxxxxxxxxx:key/xxx-xxx-xxx-xxx-xxxxxxxxxx"
["ClientRequestToken"]=> string(xx) "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
I then realized the plaintext contents of the SecretString were visible in the request's body.
I'm aware the SecretsManager uses a KMS key to encrypt the secret values; however, this only happens once the operation has been sent to the server-side (AWS Console).
Therefore, I need to know if there is any way to protect the payload contents in an encrypted format so that the SecretsManager service or AWS can unpack this content to its original value without having it saved in that encrypted format, on a new secret.
Traffic between user and service endpoint is encrypted by default through a secure HTTPS/TLS connection.
https://docs.aws.amazon.com/cli/latest/userguide/data-protection.html