Are you hard coding credentials in your software? Do you have passwords you need to centrally manage, while maintaining access control? In this session you will learn the best ways of using the AWS platform to build applications with zero knowledge of the credentials that are used. AWS and Xero will talk about the various methods AWS gives you to ensure you can handle secret values with confidence using automation in a multi-account environment. From IAM Roles, to bearer tokens and automatically rotated secrets, we will walk through a real life application and show how easy it is to keep your secrets safe.

1. S U M M I T
S YD N EY

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Keep it secret, keep it safe: credentials
and secrets management on AWS
Maria Sokolova
Solutions Architect
Amazon Web Services
Rupert Bryant-Greene
Security Engineering Lead
Xero

3. • We help small businesses thrive worldwide
• Best known for our accounting platform
• 1.58+ million subscribers
• 2,300 employees
• ~700 of whom are developers or engineers
Who are Xero?

4. • I’m Rupert
• I help Security Engineers thrive in Wellington,
New Zealand
• Our team continuously deploy edge and platform
security infrastructure
• We have built fully-automated AWS identity
management for our users
Who am I?

5. IAM for users, at scale
Maintaining developer velocityAWS root accounts, at scale
Building Zero Knowledge
applications
‘Zero Knowledge’ security model in AWS

6. AWS users in multi-account environments
Test
IAM Role AWS
CloudFormation
Stack
Prod
IAM Role AWS
CloudFormation
Stack

7. Third Party Federation
Bring-your-own-identities
AWS users in multi-account environments
AWS Single Sign-On
A fully-managed solution
for growing teams
Identity Account
An AWS Root Account
specifically for human IAM

8. Third Party Federation
Bring-your-own-identities
AWS users in multi-account environments

9. Federated AWS IAM
• Bring your existing tooling
• AWS supported integration partners
• Authentication via OIDC or SAML is available
• Trust IdP or lock down specific attributes on the
AWS side as well

10. Federated AWS IAM
Account A
IAM Role AWS
CloudFormation
Stack
Master Account
AWS
CloudFormation
Federation
Token
Federation
Token
Federation
Token
Account B
IAM Role AWS
CloudFormation
Stack
Account C
IAM Role AWS
CloudFormation
Stack
SAML Assertion

11. AWS users in multi-account environments
AWS Single Sign-On
A fully-managed solution
for growing teams

12. AWS Single Sign-On
• Managed AWS service
• Integrates with Active Directory
• Multi-factor authentication via AD & RADIUS
• Authorisation is via SSO Permission Sets

13. AWS Single Sign-On
Account A
IAM Role
Master Account
Radius
Server
AWS Directory
Service
AWS Single
Sign-On
Permission
Sets
Users
Account B
IAM Role
Account C
IAM Role
1
2
3
4
5
MFA

14. Identity Account
An AWS Root Account
specifically for human IAM
AWS users in multi-account environments

15. Identity account
Full support of existing IAM features like
MFA, CLI
Allows for AuthZ via Groups or Policies
Centralises IAM Users away from
other accounts
No cost

16. Identity account
Account A
IAM Role
IAM
Users
IAM Policies
Users
Account B
IAM Role
Account C
IAM Role
MFA
1
2
3
Master Account

17. Identity account
Account A
IAM Role
Master Account
IAM
Users
IAM Policies
Users
Account B
IAM Role
Account C
IAM Role
MFA

18. Authorisation of
AssumeRole
7 “Standard” IAM Roles for AssumeRole
~100 AWS Accounts
~700 Unique Roles
Users could hypothetically require any Role
in any Account in any combination
Too many possible combinations to be
managed via Groups

19. AWS IAM access, KMS key management
Rotates Access Keys across all accounts
Approval workflow for granular
access requests
Database access management
Platform Access
Control Manager

20. Users don’t need additional credentials
Platform Access
Control Manager

21. Platform Access Control Manager
Identity Account
IAM UsersIAM Policies
Users
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789012:role/Developer",
"arn:aws:iam::123456789012:role/Admin",
"arn:aws:iam::098765432109:role/ReadOnly"
]
}
1 IAM Managed Policy per User
MFA
MFA
Request Access
Changes
Modify Policy

23. Platform Access Control Manager
PACMAN Account
Database
Access
KMS
Management
IAM Policy
Processor
Parameter
Store
Identity Account
IAM
Users
IAM
Policies
Directory Account KMS Account
AWS Key
Management Service
AWS Directory
Service

24. (Not) handling secrets within applications
AWS Systems
Manager Commands
AWS Secrets
Manager
AWS Key
Management Service
IAM Roles
Let AWS handle them for you

25. Don’t use them
IAM Users

26. IAM Roles

27. IAM roles are secure and versatile
PACMAN Account
Database
Access
KMS
Management
IAM Policy
Processor
Parameter
Store
KMS Account
AWS STS IAM Role
Identity Account
AWS STS IAM Role

28. Key-value pairs
Native and custom secret rotation
Cross-account access
AuthZ with KMS Key and Resource Policies
CloudFormation via Dynamic References
Secrets Manager

29. (Not) handling secrets within applications
GetSecretVaule
{Ua, Pa}
{Ua,Pa}
Data
AWS Region – Sydney
Amazon RDS
AWS CloudFormation
ApplicationAWS Secrets Manager

30. (Not) handling secrets within applications
Cross-account secrets are great for shared credentials like domain join users or logging API
keys directly to the systems that need them
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/EC2RoleToAccessSecrets"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}]
}

31. (Not) handling secrets within applications
Put references to secrets directly into your CloudFormation templates, without having them
visible to the Console using Dynamic References
MyRDSInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: MyRDSInstance
AllocatedStorage: '20'
DBInstanceClass: db.t2.micro
Engine: mysql
MasterUsername: '{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}'
MasterUserPassword: '{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}'

32. Native SSH all the way to the instance
Can traverse multi-hop networks (jump hosts)
Generates time-limited SSH Certificates
Tied to AWS IAM Access
Works with EC2 Instance Tags for AuthZ
LastKeyPair

33. LastKeyPair - On-demand SSH Certificates
MFA
Users
KMS Account
AWS KMSAWS Lambda
LastKeyPair
AWS Lambda
Authoriser
Parameter
store
LastKeyPair Account
1
2 4
3
5
6 SSH
SSH Certificate

34. Remote execution – the good kind!
Allows for IAM-backed audit trail via
CloudTrail
Per-instance authorisation can be handled
with EC2 Tagging
Amazon AMIs come with SSM pre-
installed, just attach the Role
SSM sessions &
commands

35. AWS SSM session manager

36. Consider whether you need access to
instances at all
All logs should be shipped
Instances should include a host-security
agent and process logging
No SSH, no SSM, changes are deployed
through infra-as-code
Immutable
infrastructure

37. Immutable infrastructure via DevOps
PACMAN Account
Database
Access
KMS
Management
IAM Policy
ProcessorAWS
CodePipeline
AWS
CodeBuild
Amazon EC2
Container Registry
GitHub
Repository

38. KMS as-a-service
Robust API
Comprehensive Key Policies
Native integration from the CLI
Key Management
Service

39. Maintain Visibility Use AWS
Organisations
Lockdown Root Accounts
Managing 90+ AWS accounts

40. Account catalog - Root account metadata
{
"123456789012": {
"Note": "A free text about the account, maybe a ticket ID",
"AccountOwner": [
"identity-management@xero.com"
]
},
"098765432109": {
...
},
...
}

41. Account information comparison

42. Vineyard - AWS Root Account Manager

43. Credential handling is automated out

44. Use time-limited credentials
Maintain developer velocityEnforce governance
Protect root accounts
Putting it all together

45. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rupert Bryant-GreeneMaria Sokolova