I recently let AWS Secrets Manager handle a secret rotation for me, which created a SAM template and pulled code from an S3 Bucket that matches the structure found in the aws-samples GitHub repository. Out of curiosity, I tried to reference the same S3 Bucket in a CloudFormation template to create multiple Lambda rotations simultaneously. Given that this bucket is used by AWS to create resources, is it secure for me to reference it? Are there any security concerns? Is there a way to explore what's in this bucket? Are there any similar reference buckets I should know about?
Just to clarify, when you create a secret rotation lambda through the Secrets Manager console, it deploys a CloudFormation SAM Template that sets up a Lambda function, IAM role, etc., pulling the zip package from the S3 Bucket named secrets-manager-rotation-apps-{hash}. I've noticed that the S3 URI matches the folder structure from [this GitHub Repository](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/tree/master/SecretsManagerRDSSQLServerRotationSingleUser) for that specific secret rotation.
3 Answers
Generally, it's okay to use AWS-provided S3 Buckets for these types of functions, but always be cautious. Stick to newer documents and check if AWS has updated their policies. Creating your own buckets for sensitive operations is always a safer approach if you have that option.
It should be fine to use, but keep in mind that it's not formally published outside of the Serverless Application catalog. Those templates are mainly meant to be deployed from there. I recently implemented one of these templates and found it to be overly complicated and badly documented. If you can, I recommend building your own solution instead of relying on those pre-made templates—they can be quite frustrating!
It's probably safe to use that bucket, as AWS utilizes these for distributing CloudFormation templates and similar resources. While you can get objects from it, you might not have permission to list them, so testing it out is your best bet. Just remember to tread carefully with any production-level usage!
Thanks for confirming! I was hoping for a second opinion on this.
If you're planning on using it for something reliable, I'd suggest copying what you need to your own bucket and setting a policy so only you or your organization can access it. This way, if AWS changes their permissions down the line, you're covered.