-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Open
Labels
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.Issue acknowledged from core team so work can be done to fix it.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.Issue about the update/refactoring of a existing cheat sheet.
Description
Description
The current Python examples in the Serverless_Security_Cheat_Sheet.md for secrets management utilize the boto3 SDK to fetch secrets directly. While functional, this is no longer the recommended best practice for high-performance or cost-efficient serverless applications.
Proposed Improvement
I propose updating the "Secrets Management" section to demonstrate the use of the AWS Parameters and Secrets Lambda Extension.
Why this is better:
- Security: It uses a local HTTP endpoint (
localhost:2773), minimizing the footprint of the AWS SDK within the function and reducing the risk of logging sensitive credential retrieval attempts. - Performance: The extension provides a managed, in-memory cache. This significantly reduces latency (cold starts) and prevents unnecessary API calls to Secrets Manager on every invocation.
- Cost: It drastically reduces the number of API requests, which are billed at $0.05 per 10,000 calls.
Changes
I will replace the existing boto3 example with a urllib3 implementation that interacts with the extension's local cache. I will also add a brief technical note regarding the requirement of adding the extension as a Layer.
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.Issue acknowledged from core team so work can be done to fix it.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.Issue about the update/refactoring of a existing cheat sheet.