Documentation

AWS Secrets Manager Setup

Store Trusted Signatures API credentials securely in AWS Secrets Manager for applications that invoke the AWS Cloud Connector.

  • Secure API key storage
  • IAM access control
  • Rotation guidance
AWS Connector Overview API Reference Book Demo

AWS proof

Use Lambda and S3 for connector speed, scale, and account-scoped control

The documented AWS pattern uses Lambda for invocation, S3 for document movement, and AWS-native IAM and secrets controls so teams can run sealing workflows inside their own account.

Trust & Standards

S3

speed path

Source and destination buckets let applications hand off PDFs and retrieve sealed output through the same storage workflow.

Lambda

scale model

The connector runs as a Lambda function, fitting bursty or event-driven document jobs without managing long-lived servers.

IAM

security controls

Least-privilege roles, bucket policies, and Secrets Manager guidance scope access to documents and credentials.

SHA-256

data boundary

Only the document digest and signing metadata are sent to Trusted Signatures while PDFs stay in S3.

AWS Secrets Manager Setup

Overview

CRITICAL: Store your Trusted Signatures API credentials in AWS Secrets Manager for maximum security in client applications that invoke the AWS Cloud Connector. Never hardcode API keys in your code or environment variables.

Note: The Lambda function itself receives API keys in each request and does not need Secrets Manager access. This guide is for client applications that need to store and retrieve API credentials securely.

Why Use Secrets Manager?

  • Security: Encrypted storage with automatic rotation
  • Access Control: IAM-based permissions
  • Audit: CloudTrail logging of secret access
  • Compliance: Meets security best practices
  • Cost: Minimal cost (~$0.40/month per secret)

Setup Instructions

1. Create Secret in AWS Console

  1. Go to AWS Secrets Manager Console
  2. Click Store a new secret
  3. Choose Other type of secret
  4. Add key-value pairs:
    • Key: apiKey, Value: your-hex-encoded-api-key
    • Key: apiKeyId, Value: your-api-key-id
  5. Secret name: trusted-signatures-api
  6. Description: Trusted Signatures API credentials for PDF sealing
  7. Configure automatic rotation (recommended: 90 days)
  8. Click Store

2. Create Secret via AWS CLI

1
2
3
4

aws secretsmanager create-secret \
  --name "trusted-signatures-api" \
  --description "Trusted Signatures API credentials" \
  --secret-string '{"apiKey":"your-hex-encoded-api-key","apiKeyId":"your-api-key-id"}'

3. Client Application Implementation

Client applications should retrieve credentials from Secrets Manager before invoking the Lambda:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();

async function getApiCredentials(secretName) {
  const result = await secretsManager.getSecretValue({
    SecretId: secretName
  }).promise();
  
  return JSON.parse(result.SecretString);
}

// In your client application
const credentials = await getApiCredentials('trusted-signatures-api');
const { apiKey, apiKeyId } = credentials;

// Invoke Lambda with retrieved credentials
const payload = {
  httpMethod: 'POST',
  path: '/seal',
  body: JSON.stringify({
    sourceBucket: 'bucket',
    sourceKey: 'key',
    destinationBucket: 'dest-bucket',
    destinationKey: 'dest-key',
    apiKey: apiKey,
    apiKeyId: apiKeyId,
    tsaTimestamp: true,
    includeLtv: true
  })
};

Security Best Practices

Access Control

Principle of Least Privilege:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["secretsmanager:GetSecretValue"],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:trusted-signatures-api-AbCdEf",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}

Monitoring

CloudWatch Alarms:

1
2
3
4
5
6
7
8
9

aws cloudwatch put-metric-alarm \
  --alarm-name "SecretsManager-UnauthorizedAccess" \
  --alarm-description "Alert on unauthorized secret access" \
  --metric-name "SecretRetrievals" \
  --namespace "AWS/SecretsManager" \
  --statistic "Sum" \
  --period 300 \
  --threshold 10 \
  --comparison-operator "GreaterThanThreshold"

Rotation

Automatic Rotation (Recommended):

  1. Enable automatic rotation in Secrets Manager
  2. Set rotation interval (30-90 days recommended)
  3. Update Trusted Signatures API keys accordingly
  4. Test rotation process in non-production environment

Cost Optimization

Caching Secrets

Cache secrets in Lambda to reduce API calls:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

let cachedCredentials = null;
let cacheExpiry = null;

async function getCachedCredentials(secretName) {
  const now = Date.now();
  
  if (cachedCredentials && cacheExpiry && now < cacheExpiry) {
    return cachedCredentials;
  }
  
  cachedCredentials = await getApiCredentials(secretName);
  cacheExpiry = now + (5 * 60 * 1000); // Cache for 5 minutes
  
  return cachedCredentials;
}

Regional Considerations

  • Store secrets in the same region as your Lambda
  • Use VPC endpoints to avoid data transfer charges
  • Consider cross-region replication for disaster recovery

Troubleshooting

Common Issues

Access Denied:

  • Verify Lambda execution role has secretsmanager:GetSecretValue permission
  • Check secret resource ARN matches policy
  • Ensure secret exists in the correct region

Secret Not Found:

  • Verify secret name spelling
  • Check if secret was deleted or moved
  • Confirm region matches Lambda function region

Invalid Credentials:

  • Verify secret contains correct apiKey and apiKeyId
  • Check if API keys have expired
  • Test credentials directly with Trusted Signatures API

Debugging

Enable CloudTrail logging:

1
2
3
4

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue \
  --start-time 2024-01-01 \
  --end-time 2024-01-02

Check Lambda logs:

1
2
3

aws logs filter-log-events \
  --log-group-name "/aws/lambda/pdf-sealer-gateway" \
  --filter-pattern "secretsmanager"

Migration from Hardcoded Keys

Step-by-Step Migration

  1. Create secret with current API credentials
  2. Update Lambda code to support both methods temporarily
  3. Test thoroughly with secret-based approach
  4. Remove hardcoded keys from code
  5. Update documentation and deployment scripts

Rollback Plan

Keep hardcoded keys as fallback during migration:

1
2
3
4
5
6
7
8

async function getCredentials(secretName, fallbackApiKey, fallbackApiKeyId) {
  try {
    return await getApiCredentials(secretName);
  } catch (error) {
    console.warn('Failed to retrieve from Secrets Manager, using fallback');
    return { apiKey: fallbackApiKey, apiKeyId: fallbackApiKeyId };
  }
}

Compliance

Audit Requirements

  • CloudTrail: Enable logging for Secrets Manager API calls
  • Access Reviews: Regular review of IAM permissions
  • Rotation Records: Document key rotation schedule
  • Incident Response: Plan for compromised credentials

Documentation

Maintain records of:

  • Secret creation and updates
  • IAM policy changes
  • Rotation schedules
  • Access patterns and anomalies

Security is critical to protecting your Trusted Signatures account. Always use AWS Secrets Manager for API credentials in production environments.

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing