Managing Secrets in AWS Using

Fidelius


Fidelius Secrets Manager is an online application used to securely store and access secrets using AWS Dynamo DB and KMS. Fidelius aims to provide organizations with an easy-to-use, secure, and organized way to create, view, modify, collections of encrypted secrets as well as provide a system for managing user and application access to those secrets.

At FINRA, we have multiple application teams where each application can have different services or components. Each component can require to access multiple secrets in order to connect the application to a database or service. Since the number of total secrets in the organization can quickly rise to the hundreds, it became a priority that Fidelius was developed as a self-service tool to strengthen our DevOps practice.

dashboard

With Fidelius, each developer is able to manage the secrets for the applications they are a part of in lower environments. They can create, edit, update, delete, and retrieve the contents of the secrets through the provided Fidelius UI or SDK. For production accounts a developer is only able to see if a secret exists, the last updated date, and by whom it was updated by.

dashboard

SDK retrieving secret with name APP.component.sdlc.database_password through Java:

              
FideliusClient fideliusClient = new FideliusClient();

char[] contents = fideliusClient.getCredential("database_password", "APP", "sdlc", "component");

Utilizing Fidelius will provide you with the benefit of having full audit trail of your secrets from start to finish. From creation to deletion, Fidelius tracks who did what on the secret and makes the information transparent. Every CRUD operation is a new version that’s tracked with timestamp creating an immutable entry.

Fidelius provides an Ops role that can be used to manage production environment secrets. Operations is able to manage the secrets for all the team’s applications including production. The only restriction that Ops role contains, is the ability to delete secrets.

Fidelius provides a Master role that can be used to delete secrets in production. This was created as the most restricted role with the most limited access as a requirement.

Dev Ops Master
Can view secrets information and history Yes, in any environment Yes, in any environment Yes, in any environment
Can decrypt and view secrets Only on nonproduction tables Yes Yes
Can add new secrets Only on nonproduction tables Yes Yes
Can delete secrets Only on nonproduction tables Only on nonproduction tables Can delete any secret
Can access any application No Yes Yes
Can access a secrets table on any account and region Yes Yes Yes

Fidelius uses Amazons KMS service to create a unique encryption key that is used to encrypt the contents of the secret and store it in Dynamo DB. Decryption is then protected by using IAM roles to grant fine-grained access based on the components of a secret such as Application, Component, SDLC or even AWS Account.

Sample IAM policy restricted decrypt for an application using Fidelius and environment QA:

              
{
    "Effect": "Allow",
    "Principal": {
       "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp"
    },
    "Action": [
       "kms:Encrypt",
       "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:us-west-2:111122223333:key/*",
    "Condition": {
       "StringEquals": {
           "kms:EncryptionContext:Application": "FIDELIUS",
           "kms:EncryptionContext:SDLC": "qa"
       }
    }
}
              
            

We provide a convenient way to get Fidelius running locally. You simply need to create a KMS key, create roles with provided permissions, and run our start script. The script will create a Dynamo Db table for you and launch the browser so that you can experience for yourself the 3 roles we provide.

Once you are ready to deploy, you can simply configure Fidelius to your needs and deploy the services. We offer the UI and backend service as a docker image and provide an SDK that you can use for your applications.

Fidelius provides you an easy to use, secure, and affordable system to manage your secrets in AWS across multiple AWS accounts and regions. We welcome and encourage any and all contributions to Fidelius through Github.