Title: Application Secret Management with AWS KMS
Managing application secrets, such as database passwords or API keys, can be a tricky problem in any environment. It becomes even trickier when we have an end-to-end Continuous Delivery pipeline, deploying an application with no human intervention. The question becomes: how do we maintain secrets in source control, along with the infrastructure and functional code, without exposing them to everyone? Additionally, CapitalOne, being a large financial institution, is subject to regulations like "segregation of duties", which prohibits developers from having admin access to production. Using a combination of AWS KMS, IAM, and iptables, we were able to design a simple, cheap, and scalable solution that satisfies our security needs, as well as the regulatory requirements.