When your application running on an EC2 instance within an Amazon VPC communicates with Secrets Manager, this communication traverses the public internet.
In this post, I am going to show you how to use Secrets Manager with an Amazon VPC endpoint so as to keep traffic between your VPC and Secrets Manager within the AWS network and meet your compliance and regulatory requirements to limit public internet connectivity.
This application requires a database password to an RDS instance running in the same VPC. I have stored the database password in Secrets Manager.
First, retrieve a secret stored in Secrets Manager from an Amazon EC2 instance and then when the request is sent to Secrets Manager, the entire data flow is contained within the VPC and the AWS network.
you can visit my other blog on Secretsmanager
Manage the RDS Database credentials using AWS Secret Manager and Monitor it thru CloudTrail
Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.
Let’s get started!
Objectives:
1. Create RDS Security Group - RDS-SG
2. Create RDS MySQL instance
3. Store a new secret in Secretsmanager for the RDS database
4. Create an EC2 webserver
5. Create an Amazon VPC endpoint Security Group
6. Create an Amazon VPC endpoint for Secrets Manager
7. Access Secrets Manager through the VPC endpoint
Pre-requisites:
- AWS user account with admin access, not a root account.
Resources Used:
Access an AWS service using an interface VPC endpoint
Steps for implementation to this project:
1. Create RDS Security Group - RDS-SG
On the EC2 Dashboard, In the left-hand navigation menu, under Networks & Security, click Security Groups - Create Security Group. Security group name - RDS-SG, default VPC, Click the Inbound rules tab, Click the Edit inbound rules button, Click the Add rule button, For the new rule, from the Type dropdown menu, select MYSQL/Aurora, In the dropdown menu to the right of the Source column for the new rule, find and select the launch-wizard-1 for the VPC security group, Click Save rules.
- details Security group name -
RDS-SG - details Security group ID -
sg-0476abd45c05c6708
- inbound rule
- attach MSSQL/Aurora TCP 3306 sg-0b0ae898157dd45f6 - launch-wizard-1
- outbound rule
2. Create RDS MySQL instance
On the Amazon RDS Console, Create database, Standard create, Engine type - MySQL, Templates - Free tier, Under Settings, DB instance identifier - database-1, Master username - admin, Check Manage master credentials in AWS Secrets Manager, Select the encryption key - aws/secretsmanager (default), DB instance class - db.t3.micro, Allocated storage - 20 GB, Storage autoscaling - uncheck Enable storage autoscaling, Under Connectivity, uncheck leave the Don't connect to an EC2 compute resource, select the existing default VPC, Under VPC security group, select RDS-SG and remove the default security group, Under Availability zone us-east-1a, Expand Additional configuration and, Monitoring - Uncheck Enable Enhanced monitoring, under Initial database name, enter rds, Under Additional Configuration, Backup - Uncheck Enable automated backups, Maintenance - Uncheck Enable auto minor version upgrade, Deletion protection - Uncheck Enable deletion protection, Take all defaults
- Create database
1.
2.
3.
4.
5.
6.
7.
8.
9.
Wait for 5-6 minutes to see the database created.
summary RDS database
3. Store a new secret in Secretsmanager for the RDS database
1.
2.
3.
4. Create an EC2 webserver
From the EC2 Dashboard, create an EC2 instance with the following parameters.
1.
2.
- details Security group name -
launch-wizard-1 - details Security group ID -
sg-0b0ae898157dd45f6
- inbound rule
- outbound rule
- attach MSSQL/Aurora TCP 3306 sg-0476abd45c05c6708 - RDS-SG
3. summary details of EC2instance
5. Create an Amazon VPC endpoint Security Group
- details - VPCEndpoint Security Group Name -
VPCEndpoint-SG - details - Security group ID
sg-0480ba360a98eb8ca
- inbound rule
- attach SSH 22 Custom 0.0.0.0/0
- attach HTTPS 443 Custom 0.0.0.0/0
- outbound rule
6. Create an Amazon VPC endpoint for Secrets Manager
1.
2.
Select the Enable DNS Name checkbox for the VPC endpoint. Private DNS resolves the standard Secrets Manager DNS hostname https://secretsmanager.region.amazonaws.com. to the private IP addresses associated with the VPC endpoint specific DNS hostname. As a result, you can access the Secrets Manager VPC Endpoint via the AWS Command Line Interface (AWS CLI) or AWS SDKs without making any code or configuration changes to update the Secrets Manager endpoint URL.
3.
4.
5.
- Create endpoint
6.
Details tab shows all the DNS hostnames generated while creating the Amazon VPC endpoint that can be used to connect to Secrets Manager.
- I am going to use the standard endpoint secretsmanager.us-east-1.amazonaws.com or one of the VPC-specific endpoints to connect to Secrets Manager within the default VPC
vpc-0da931f5deb73c9e2where my RDS instance and application also resides.
6. Access Secrets Manager through the VPC endpoint
- login to EC2 - EC2 Connect
aws secretsmanager get-secret-value \
--secret-id rdssecret \
--query SecretString \
--output text
- output text
[ec2-user@ip-172-31-35-198 ~]$ aws secretsmanager get-secret-value \
--secret-id rdssecret1 \
--query SecretString \
--output text
{"username":"admin","password":"admin1234","engine":"mysql","host":"database-1.cgizjtuyxkda.us-east-1.rds.amazonaws.com","port":3306,"dbname":"rds","dbInstanceIdentifier":"database-1"}
[ec2-user@ip-172-31-35-198 ~]$
Cleanup
- delete RDS Database
- delete EC2 Instance
- delete VPC Endpoint
- delete Secret
What we have done so far
- I have shown you how to create a VPC endpoint for AWS Secrets Manager and retrieve an RDS database secret using the VPC endpoint.
- It enables your applications running within a VPC to use Secrets Manager while keeping traffic to Secrets Manager within your VPC.
- your applications that interact with Secrets Manager do not require any code or configuration changes.
Top comments (0)