I’m running a PHP application that connects to a RDS database using username and password to serve data to clients.
The username and password are retrieved from AWS KMS as encrypted string using AWS SSM client.
I do this for every single request to the PHP app to open up a connection to the database.
So the flow looks something like this
Incoming request -> Retrieve DB credentials from AWS -> Open DB connection -> Query -> return data
Within this flow, every single request goes out to AWS to fetch DB credentials, secure string gets decrypted using KMS, and the end result is high usage of KMS resulting in higher bills.
It also introduces latency to every API request.
I was wondering if there are some PHP caching library I can use to somewhat securely store credentials locally on the EC2 instance so I don’t need to fetch it all the time.
I read a lot of forums, and I see some people say to store them on a file living outside of root or even .env that lives outside of root is fine as well, some other say to use memcache, but most of the people say caching credentials is simply no-go pattern.
I know there’s no such thing as 100% secure, but any advice to caching credentials + what are the popular tools that are being used for PHP out there will be appreciated.
2
Answers
Turned out high bill was caused by having too many secure-string parameters that use KMS for decryption. I converted most of the parameters to normal string type and left only sensitive strings as encrypted type resulted in overall reduced KMS usage. On the AWS documentation, I overlooked where it states "There is no charge from Parameter Store to create a SecureString parameter, but charges for use of AWS KMS encryption do apply" Also for the caching library, I found phpfastcache really easy to use. However, I decided to keep the way it is for now since the KMS pricing seemed reasonable with the reduced KMS usage.
Maybe you could store your credentials in a fast access Redis instance, in such a way you would not continually hit the KMS and SSM Parameter Store service, but in that case I would recommend that you put a very low TTL in Redis so that these credentials can die in the short time to avoid any security incident. With this solution, you could implement a Singlenton pattern that always requests the credentials from redis and, if you don’t have them, request them from the SSM and temporarily store them for later use.
** The redis instance should have a direct trust relationship with the server / application to mitigate security incidents.