node.js - What is the best way to securely store Constants and Parameters for the servers to use it on runtime?

Question

We're running a server on AWS that will be using a few constants. These constants may be details that are confidential like a few API tokens, Client secrets & even DB credentials. We have been saving these details in one of our files on the server itself (say Credentials.js). So,

1. What is the best possible way to store these Credentials and in a secure manner.
2. We were also planing to switch to AWS SSM parameter store. Is it worth considering it? It also provides KMS encryption to confidential parameters.
3. Even if we do switch to AWS SSM Parameter store, we will have to call them multiple times when we make requests to third-party application servers (as we'll need the API tokens for those apps). Does this justify the cost we'll pay for SSM (Considering we take Standard store with High throughput) ?

Also, Please let me know if there are there alternatives to securely store these Parameters.

Thanks.

question from:https://stackoverflow.com/questions/65951842/what-is-the-best-way-to-securely-store-constants-and-parameters-for-the-servers

Answer 1

Secret Manager

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.

To get an overview how it look like, see AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely.

Cost

See Pricing. $0.40 USD per secret per month and $0.05 per 10,000 API calls.

Documents

• Tutorials - Start here to get the ideas
• secrets_getsecretvalue.js - Example to get secrets in JS
• JS SDK for Secret Manager - Look further here to know the JS SDK
• CreatSecretAPI - AWS API to create a secret for the detailed references

Create a secret via the AWS console or using SDK. See Creating a secret. A secret is a key/value pair where the value is in JSON format.

Alternatives

Hashicorp Vault

• Static Secrets: Key/Value Secrets Engine
• Vault JS client

Lambda

Use a lambda which only accepts an access from those with a specific IAM role/permission attached to the IAM profile of an EC2 instance to run your app.

Others

Just Googling "parameter store for secret management" showed bunch of articles and how-to. Please do the research first.