How to secure app config and encrypt data in flight in AWS

In this example a containerized python application deployed on AWS ec2 instance(s) to access database password using SecretManager will help avoid security risks with typical deployment config as part of image builds.

The idea is to separate sensitive dependencies and access keys from deployment using a secret vault such as AWS secret manager service and use an API to get access to database on demand.

In this diagram below, getPassword() method is an API call to get database user password from secret manager AWS service to connect to source and target databases. Not all components mentioned below are covered in this article, for example databases, ec2 instance and s3 bucket setup isn’t part of this example. The code snippets only cover on how to implement access to database in sensitive environments.

Create secret with an API call

Get secret with an API call for a given key.

Application initialization..

Config

Sample code to use SSL/TLS certificates in app config (externalized)

There are many ways to read environment variables at container runtime. One example in this case is to use env.sh file in which you would have declared variables required for app runtime

Declare environment variables

Note: Never keep your API keys in your repository and commit to public source control system, even repo is in private mode. Stage them locally somewhere safely or using STS (secure token service) is even better.

Run container app