Más contenido relacionado La actualidad más candente (20) Similar a AWS Secrets for Best Practices (20) Más de AWS User Group Bengaluru (20) AWS Secrets for Best Practices1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices & Use cases -
AWS Secrets Manager
Vijaya Nirmala Gopal
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vijaya Nirmala Gopal (Nirmala)
DevOps Solutions Lead - Cloud,
Sonata Software Limited
https://cloudgoddess.blogspot.com/
Ansible Galaxy Contributor
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
❏ AWS Secrets Manager Overview
❏ Top security threats with Credentials
❏ Overlooked Risks
❏ Compliances for AWS & Cloud
❏ Use case for the day
❏ Logging/Monitoring - Cloudwatch
❏ Auditing - CloudTrail
❏ Notifications - SNS
❏ Recover & Restore
❏ With Infrastructure as Code
❏ For Configuration Management Solution
❏ Quick compare
❏ Need of the moment
Agenda
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager - Overview
❏ Key Features - hold & automate secret rotation
Automatic password generator [aws cli]
❏ Pay as you go; No upfront or setup cost
❏ Fine grained IAM access control
❏ Compliance
❏ Audit/Monitor
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top security threats
Risk Assessments shows below reasons
● Open network ports
● Broad permissions for Application(s)
● Wider privileges for IAM user
● Unprotected keys and credentials
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overlooked Risks ???
Shared by Teri Radichel, CEO, 2nd Sight Lab, AWS Community Hero
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PCI DSS & CIS with AWS Secrets
Manager
❏ Enforcement on securing credentials
❏ Defined rules for IAM or any other credentials
❏ Recommends/demands keys rotation
❏ Enable sufficient logging
❏ Have audit controls in place
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use case - AWS Secrets Manager
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SSM - AWS CLI
Creation & Retrieval of secrets
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure provisioning - Use cases
How efficient is secrets with Cloudformation
● Use resolve tag to fetch or refer the secrets from Secrets Manager
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}
“MasterPassword”: ‘{{ resolve:secretsmanager:RDS-master-password:SecretString:password}}’
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure provisioning - Use cases
How efficient is secrets with Terraform
● Use terraform module ‘aws_secretsmanager_secret’ and
‘aws_secretsmanager_secret_version’ create secrets
● Use output to view the secrets
● AWS CLI for fetching the secrets in user_data
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
How secrets fit with Ansible
❏ Ansible aws_secret - Lookup plugin for
secrets manager
❏ Use & register with CLI
❏ Know how to fetch and store
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
Fetch using AWS CLI
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
Fetch using API(ex. Python)
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auditing Secrets Usage - CloudTrail
❏ Risk Assessments shows below reasons against
credentials misuse
❏ Open network ports
❏ Broad permissions for Application(s)
❏ Wider privileges for IAM user
❏ Unprotected keys and credentials
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudTrail - Delete
❏ what happens on Delete
❏ Be known to mischievous actions
❏ Take back the decision in 7 days
❏ Think through the decision
❏ Check integrity by running regressions
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring/Logging Secrets - CloudWatch
❏ Calls made
❏ Access error messages
❏ Sources reaching onto access secrets with timelines
❏ Analyse and action of unused or unrotated secrets
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SNS - AWS Secrets Manager
Get alerted on actions or customize triggers for alert
❏ On Delete
❏ On permission denied to track suspicious access
❏ API Calls
❏ Other examples
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparison with other options
AWS SSM Parameter store
❏ Rotate with custom Lambda
❏ Lambda creation and maintenance
❏ No Cross account access
❏ S3 - In Rest & Transit Encrypted texts
❏ Ansible Vault
❏ VM or Instance
❏ Custom made mechanism to rotate
AWS Secrets Manager
❏ All secrets are encrypted
❏ Built in Lambda to rotate
secrets
❏ Billed per secret stored and
API calls
❏ Integration password rotation
❏ Random password generation
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step Ahead - git-secrets
Access Keys/Credentials in Git Repos
❏ scrutinize the most valuable targets
❏ prevents keys/credentials anywhere in/into repos
❏ Add as Jenkins job to checkout repos dynamically and
scan and report
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!