Automatic API key rotation for CloudFront with Secrets Manager and Lambda
Project description
API Key Rotator for Amazon CloudFront
In many architectures using Amazon CloudFront with API Gateway, an API key is used to secure communication between CloudFront and the origin (API Gateway). This key is typically passed as a custom header in requests from CloudFront to the origin. While this setup enhances security, it's crucial to regularly rotate these API keys to maintain a robust security posture.
This project provides an automated solution for rotating API keys used in CloudFront distributions. It leverages AWS Lambda and Secrets Manager to securely generate, test, and update API keys without manual intervention.
Why API Key Rotation is Necessary
- Limit Exposure: Regular rotation limits the time an API key is valid, reducing the window of opportunity for potential attackers.
- Compliance: Many security standards and compliance frameworks require periodic rotation of secrets.
- Mitigate Risk: If a key is compromised, rotation ensures it becomes invalid quickly.
How It Works
The automated rotation process consists of four main steps:
- Create Secret: Generate a new API key and store it as the "AWSPENDING" version in Secrets Manager.
- Set Secret: Update the CloudFront distribution with the new API key.
- Test Secret: Verify that the new API key works by testing it against the origin.
- Finish Secret: Mark the new API key as "AWSCURRENT" in Secrets Manager, completing the rotation.
Components
exceptions.py
: Defines custom exceptions for the rotation process.utils.py
: Contains utility functions for interacting with CloudFront, Secrets Manager, and performing key rotation steps.handler.py
: Implements the Lambda function handler that orchestrates the rotation process.
Usage
Prerequisites
- Python 3.10+
- AWS account with appropriate permissions for Lambda, CloudFront, and Secrets Manager
- CloudFront distribution configured with a custom origin header for API key
Setup
-
Build and deploy a Lambda function that contains the
amazon-cloudfront-api-key-rotator
using your preferred method (e.g., AWS Console, CloudFormation, or Terraform). Function configuration:- Python version: 3.10+
- Lambda handler:
api_key_rotator.handler.lambda_handler
- Environment Variables: See "Environment Variables" section below
- Permissions: See "IAM Permissions" section below
-
Configure Secrets Manager to use this Lambda function for rotation.
Environment Variables
Variable | Description | Default Value |
---|---|---|
CLOUDFRONT_DISTRIBUTION_ID |
ID of the CloudFront distribution to update | None (Required) |
HEADER_NAME |
Name of the custom header for the API key | "x-origin-verify" |
ORIGIN_URL |
URL of the origin (API Gateway) to test the rotated API key against | None (Required) |
SECRET_KEY_NAME |
Key name for storing the API key in Secrets Manager | "HTTP_API_KEY" |
SECRET_KEY_LENGTH |
Length of the generated API key | 32 |
IAM Permissions
Ensure the Lambda function has the necessary permissions to:
-
Manage secrets in AWS Secrets Manager:
secretsmanager:GetSecretValue
secretsmanager:PutSecretValue
secretsmanager:DescribeSecret
secretsmanager:UpdateSecretVersionStage
-
Access and update CloudFront distributions:
cloudfront:GetDistribution
cloudfront:GetDistributionConfig
cloudfront:UpdateDistribution
Basic Example
Here's a basic example of how to use the rotator in your AWS environment:
-
Create a secret in AWS Secrets Manager with the initial API key:
{ "HTTP_API_KEY": "your-initial-api-key" }
-
Configure the secret to use the Lambda function for rotation.
-
Update your CloudFront distribution to use the custom header (e.g., "x-origin-verify") with the current API key value.
-
The rotation will occur automatically based on the rotation schedule you set in Secrets Manager.
License
This project is licensed under the MIT License. See the LICENSE file for details.
Disclaimer
This software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term "AWS" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file amazon-cloudfront-api-key-rotator-0.1.0.tar.gz
.
File metadata
- Download URL: amazon-cloudfront-api-key-rotator-0.1.0.tar.gz
- Upload date:
- Size: 7.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.1
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7855e15c49604c87849a0e22c06f852b951d012f485e7ccc843e86516e8aa799 |
|
MD5 | 0c0970478a4625582cdcccb408331eb1 |
|
BLAKE2b-256 | 2c2adc6a07b0dc4f6c8dc3bc8ecf34d77b62f01b66c1fe6f188de4611735b5fd |
File details
Details for the file amazon_cloudfront_api_key_rotator-0.1.0-py3-none-any.whl
.
File metadata
- Download URL: amazon_cloudfront_api_key_rotator-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.1
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4be77cd42f06acbb47d8fee6f8f2a2dd8b17f7ce3b9efcca26b4be37a03f6bbf |
|
MD5 | 60418529e8ddf6daba392cdcf5f35a53 |
|
BLAKE2b-256 | 4bd2e50976bbb3e733182ddf69f13ee5371af12a6bd0c554356800fe7fc717ed |