Securing AI Model Credentials with AWS Secrets Manager Policies

Question

Pulumi · Accepted Answer

To secure AI model credentials using AWS Secrets Manager, you will create and store the credentials (like database passwords, API keys, etc.) in Secrets Manager and apply a policy to manage access to these secrets. AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Here's what we'll do in the Pulumi program:

1. **Create a Secret**: We'll define a new secret, which is the actual container of the sensitive data you want to store.
2. **Define a Secret Policy**: We'll attach a resource-based policy to the secret that specifies who can access this secret and what actions they can perform on it.
3. **Rotate the Secret**: Optionally, if you have Lambda functions set up for rotation, we can define rotation rules for automatically rotating the secrets periodically.

Below is a complete Pulumi program in Python that shows how to secure AI model credentials using AWS Secrets Manager:

```python
import json
import pulumi
import pulumi_aws as aws

# Define the secret where the AI model credentials will be stored
ai_model_secret = aws.secretsmanager.Secret("aiModelSecret",
    description="AI Model Credentials",
)

# An example policy document that grants permission to an AWS lambda function to manage the secret.
secret_policy_document = aws.iam.get_policy_document(statements=[{
    "principals": [{
        "identifiers": ["lambda.amazonaws.com"],
        "type": "Service",
    }],
    "actions": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutSecretValue",
        "secretsmanager:UpdateSecretVersionStage"
    ],
    "resources": [ai_model_secret.arn],
}])

# Attach the resource policy to the secret.
ai_model_secret_policy = aws.secretsmanager.SecretPolicy("aiModelSecretPolicy",
    secret_arn=ai_model_secret.arn,
    policy=secret_policy_document.json,
)

# For demonstration purposes, here's how you might set up automatic rotation for your secret.
# Note that you need a Lambda function that handles the rotation logic.
rotation_lambda = aws.lambda_.Function("rotationLambda") # Placeholder for the actual Lambda function

ai_model_secret_rotation = aws.secretsmanager.SecretRotation("aiModelSecretRotation",
    secret_id=ai_model_secret.id,
    rotation_lambda_arn=rotation_lambda.arn,
    rotation_rules={
        "automatically_after_days": 30,
    })

# Export the secret ARN so you can easily find it in the AWS console or when you need to reference it in other parts of your system.
pulumi.export("ai_model_secret_arn", ai_model_secret.arn)
```

In this program:

- We create a secret called `aiModelSecret` which is where your AI model credentials will be stored securely.
- We create a policy document that gives an example Lambda function the necessary permissions to manage the secret. The Lambda service is defined as a principal with the actions that it can perform listed in the policy document.
- We attach this policy to the secret we created with `SecretPolicy`.
- We show how one could set up automatic rotation for the secret using `SecretRotation`. This requires you to have a Lambda function that performs the rotation. The example assumes a placeholder Lambda function named `rotationLambda`.
- Finally, we export the ARN of the secret using `pulumi.export`, which makes it easy to use the ARN in other parts of your system or to locate the secret in the AWS console.

Keep in mind that the `rotation_lambda` is a placeholder here and to implement rotation, you would actually need to provide a real Lambda function that implements the rotation logic.

You can apply similar logic to secure other types of credentials or secrets as needed by your application. Remember that you'll need the appropriate permissions set up in AWS IAM to create and manage these resources.