SlideShare una empresa de Scribd logo

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

AWS Chicago
AWS Chicago

Turbo talk 1: "AWS secret manager for protecting and rotating credentials" - Mike Allen, CIO at Morningstar // @mikeoninfosec OWASP + AWS user groups: Using the OWASP Top 10 in AWS

Tecnología
1 de 35
Descargar para leer sin conexión
©2018 Morningstar, Inc. All rights reserved. Michael Allen, CIO – 10-24-2018 AWS Secrets Manager
Where lots of bad decisions are made….
When a security person sees a password dialog box
When everyone else sees a password dialog box
Proof! - Top Passwords of 2017
The Problem ▪ OWASP TOP 10 – A3 – Sensitive Data Exposure ▪ Many web applications and APIs do not properly protect sensitive data, including passwords, encryption keys, etc. ▪ Developers check in passwords, encryption keys, AWS secrets, etc. into source code repositories (sometimes public) and bad things happen ▪ Passwords are often poorly generated and not rotated frequently ▪ When a password is compromised, it is difficult to change due to it being used in many, disparate locations ▪ Bad password managements lead to data breaches
Overview of AWS Secrets Manager ▪ Makes it easier to rotate, manage and retrieve database credentials, API keys, and other secrets throughout their lifecycle ▪ Particularly good when using built in AWS services like RDS databases as it enables auto rotation ▪ Is region specific (e.g. Ohio and Virginia are completely distinct) ▪ Common Users of Secrets Manager: ▪IT Admins: store and manage access to secrets securely and at scale ▪Security admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications ▪Developers: avoid having to deal with storing secrets in their applications and prevent the security team from cutting you a finding. ☺
Typical Use Case ▪ Connect to a database from application code ▪ Step 1: DBA loads application specific password into secrets manager ▪ Step 2: DevOps engineer deploys application with an attached IAM role ▪ Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credential and connects to the database ▪ DevOps engineer never has access to password! ▪ Password set to automatically rotate
Secrets Manager High Level Overview
Structure of a Secret
Desired Password Lifecycle ▪ Secure and manage secrets centrally ▪ Can store, view, and manage all your secrets in one secure password vault ▪ Secrets manager encrypts these secrets with encryption keys you own and control ▪ Integrated with CloudTrail and CloudWatch for logging and monitoring to meet compliance needs ▪ Example: can be configured to send notification when an admin deletes a secret as an example
Example Cloud Trail Log
Desired Password Lifecycle ▪ IAM Policies: ▪ Tag-based access control and hierarchical names ▪ Resource-based policies for cross-account access ▪ Can restrict access to passwords using MFA or even corporate IP address range ▪ Example: only allow folks to access production passwords from trusted network
Access Control – Using IAM Policies
Desired Password Lifecycle ▪ Rotate Secrets Safely ▪ One-click password rotation for supported AWS services ▪ Built-in integrations for rotating MySQL, PostgreSQL and Amazon Aurora on RDS ▪ Can create custom integrations using Lambda ▪ Uses versioning so that applications won’t break when secrets are rotated
How Much Does It Cost? ▪ Pay only for what you use (no minimum) ▪ Storage: $0.40/month per secret ▪ Access: $0.05 per 10,000 API calls (reads and writes)
©2018 Morningstar, Inc. All rights reserved. Demo #1 - Interface demo and example password creation / storage
Secret Manager Interface
©2018 Morningstar, Inc. All rights reserved. Demo #2 – Retrieving a password in code
Before dbconfig.py gConfiguration file with passwords stored in plain text gConfig file checked into source code repository gNot secure
After retrieve_demo.py ▪ No passwords stored in plain text ▪ IAM role configured on EC2 instance giving permission to retrieve secret from secret manager ▪ OK to check into source code repository ▪ Configurable based on environment / application Name of Secret & Region
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Retrieving a password via AWS CLI
Example of CLI ▪ Step 1: Install AWS CLI and use “aws configure” to setup authentication and region ▪ Step 2: Use “aws secretsmanager help” to show a list of available commands ▪ Step 3: List all secrets in vault ▪ Use “aws secretsmanager list-secrets” ▪ Step 4: Retrieve value of a specific secret ▪ Use “aws secretsmanager get-secret-value –secret-id “dev/app1/database” ▪ Can also create, delete, rotate secrets using CLI ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Rotating an RDS Database Password
Password Rotation Workflow ▪ Step 1: Secrets manager creates a new password with equivalent permissions ▪ Step 2: The new password is promoted and returned via subsequent secrets manager API calls ▪ Step 3: Secrets manager safely disables the original credential ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
Example of Password Rotation ▪ Rotation interval is configurable (30,60, 90 days) ▪ Creates a Lambda function to handle rotation for RDS
Password Rotation Lambda ▪ Built in Lambda functions for RDS ▪ Can create your own custom Lambda’s for other applications that you wish to rotate (extensible)
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Notifying on delete
Notification Workflow ▪ #1 - Enable cloud trail ▪ #2 – Configure cloud trail log file delivery to cloud watch logs ▪ #3 – Create a CloudWatch alarm for a delete event
How keys are protected? ▪ How are the secrets protected? ▪ Secrets manager integrates with Amazon KMS to protect the secrets ▪ Every secret is protected with a unique data encryption key which is in turn protected via a customer master key. Secrets are protected using envelope encryption ▪ You can use the same or different customer master keys for each secret you protect ▪ You can change the customer master key (CMK) at any time but secrets manager does not re-encrypt existing secrets using the new CMK until the value changes.
Ways to access secrets ▪ Programmatically via supplied SDKs and boto3 ▪ Via API call ▪ Must use TLS and Perfect Forward Secrecy ▪ Must authenticate with a signed request using AWS secret key ▪ Via AWS CLI
What’s missing? ▪ No “break glass” functionality (yet). ▪ No support for “dynamic” secrets (e.g. secrets that are generated on the fly and live for a specific duration of time)
Reference Material ▪ When building this presentation, I leveraged slide material and documentation from both Amazon Web Services and OWASP (thanks to both of these awesome organizations).
Questions?

Recomendados

Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...AWS Chicago
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS User Group Bengaluru
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practicesMichael Pearce
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 

Recomendados

Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...AWS Chicago
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS User Group Bengaluru
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practicesMichael Pearce
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAdam Book
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsSebastian Taphanel CISSP-ISSEP
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsAkamai Developers & Admins
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar Mitchell Pronschinske
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experienceNick Malcolm
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayaNirmalaGopal
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key ManagementMongoDB
 

Más contenido relacionado

La actualidad más candente

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAdam Book
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsSebastian Taphanel CISSP-ISSEP
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsAkamai Developers & Admins
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experienceNick Malcolm
 

La actualidad más candente (20)

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets Manager
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security Events
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to Atlas
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experience
 

Similar a Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayaNirmalaGopal
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key ManagementMongoDB
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptxVijayaNirmalaGopal
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Amazon Web Services
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
MySQL Security on AWS Rds
MySQL Security on AWS RdsMySQL Security on AWS Rds
MySQL Security on AWS RdsMydbops
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...Amazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionAmazon Web Services
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitAmazon Web Services
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 

Similar a Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials" (20)

Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key Management
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
MySQL Security on AWS Rds
MySQL Security on AWS RdsMySQL Security on AWS Rds
MySQL Security on AWS Rds
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best Practices
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 

Más de AWS Chicago

AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...AWS Chicago
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxAWS Chicago
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfAWS Chicago
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaAWS Chicago
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxAWS Chicago
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxAWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfAWS Chicago
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxAWS Chicago
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfAWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfAWS Chicago
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxAWS Chicago
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfAWS Chicago
 
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...AWS Chicago
 
MichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxMichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxAWS Chicago
 
Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfAWS Chicago
 
Kamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxKamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxAWS Chicago
 
John Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxJohn Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxAWS Chicago
 
JuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxJuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxAWS Chicago
 

Más de AWS Chicago (20)

AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdf
 
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
 
MichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxMichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptx
 
Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdf
 
Kamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxKamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptx
 
John Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxJohn Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptx
 
JuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxJuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptx
 

Último

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

  • 1. ©2018 Morningstar, Inc. All rights reserved. Michael Allen, CIO – 10-24-2018 AWS Secrets Manager
  • 2. Where lots of bad decisions are made….
  • 3. When a security person sees a password dialog box
  • 4. When everyone else sees a password dialog box
  • 5. Proof! - Top Passwords of 2017
  • 6. The Problem ▪ OWASP TOP 10 – A3 – Sensitive Data Exposure ▪ Many web applications and APIs do not properly protect sensitive data, including passwords, encryption keys, etc. ▪ Developers check in passwords, encryption keys, AWS secrets, etc. into source code repositories (sometimes public) and bad things happen ▪ Passwords are often poorly generated and not rotated frequently ▪ When a password is compromised, it is difficult to change due to it being used in many, disparate locations ▪ Bad password managements lead to data breaches
  • 7. Overview of AWS Secrets Manager ▪ Makes it easier to rotate, manage and retrieve database credentials, API keys, and other secrets throughout their lifecycle ▪ Particularly good when using built in AWS services like RDS databases as it enables auto rotation ▪ Is region specific (e.g. Ohio and Virginia are completely distinct) ▪ Common Users of Secrets Manager: ▪IT Admins: store and manage access to secrets securely and at scale ▪Security admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications ▪Developers: avoid having to deal with storing secrets in their applications and prevent the security team from cutting you a finding. ☺
  • 8. Typical Use Case ▪ Connect to a database from application code ▪ Step 1: DBA loads application specific password into secrets manager ▪ Step 2: DevOps engineer deploys application with an attached IAM role ▪ Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credential and connects to the database ▪ DevOps engineer never has access to password! ▪ Password set to automatically rotate
  • 9. Secrets Manager High Level Overview
  • 10. Structure of a Secret
  • 11. Desired Password Lifecycle ▪ Secure and manage secrets centrally ▪ Can store, view, and manage all your secrets in one secure password vault ▪ Secrets manager encrypts these secrets with encryption keys you own and control ▪ Integrated with CloudTrail and CloudWatch for logging and monitoring to meet compliance needs ▪ Example: can be configured to send notification when an admin deletes a secret as an example
  • 13. Desired Password Lifecycle ▪ IAM Policies: ▪ Tag-based access control and hierarchical names ▪ Resource-based policies for cross-account access ▪ Can restrict access to passwords using MFA or even corporate IP address range ▪ Example: only allow folks to access production passwords from trusted network
  • 14. Access Control – Using IAM Policies
  • 15. Desired Password Lifecycle ▪ Rotate Secrets Safely ▪ One-click password rotation for supported AWS services ▪ Built-in integrations for rotating MySQL, PostgreSQL and Amazon Aurora on RDS ▪ Can create custom integrations using Lambda ▪ Uses versioning so that applications won’t break when secrets are rotated
  • 16. How Much Does It Cost? ▪ Pay only for what you use (no minimum) ▪ Storage: $0.40/month per secret ▪ Access: $0.05 per 10,000 API calls (reads and writes)
  • 17.
  • 18. ©2018 Morningstar, Inc. All rights reserved. Demo #1 - Interface demo and example password creation / storage
  • 20. ©2018 Morningstar, Inc. All rights reserved. Demo #2 – Retrieving a password in code
  • 21. Before dbconfig.py gConfiguration file with passwords stored in plain text gConfig file checked into source code repository gNot secure
  • 22. After retrieve_demo.py ▪ No passwords stored in plain text ▪ IAM role configured on EC2 instance giving permission to retrieve secret from secret manager ▪ OK to check into source code repository ▪ Configurable based on environment / application Name of Secret & Region
  • 23. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Retrieving a password via AWS CLI
  • 24. Example of CLI ▪ Step 1: Install AWS CLI and use “aws configure” to setup authentication and region ▪ Step 2: Use “aws secretsmanager help” to show a list of available commands ▪ Step 3: List all secrets in vault ▪ Use “aws secretsmanager list-secrets” ▪ Step 4: Retrieve value of a specific secret ▪ Use “aws secretsmanager get-secret-value –secret-id “dev/app1/database” ▪ Can also create, delete, rotate secrets using CLI ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
  • 25. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Rotating an RDS Database Password
  • 26. Password Rotation Workflow ▪ Step 1: Secrets manager creates a new password with equivalent permissions ▪ Step 2: The new password is promoted and returned via subsequent secrets manager API calls ▪ Step 3: Secrets manager safely disables the original credential ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
  • 27. Example of Password Rotation ▪ Rotation interval is configurable (30,60, 90 days) ▪ Creates a Lambda function to handle rotation for RDS
  • 28. Password Rotation Lambda ▪ Built in Lambda functions for RDS ▪ Can create your own custom Lambda’s for other applications that you wish to rotate (extensible)
  • 29. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Notifying on delete
  • 30. Notification Workflow ▪ #1 - Enable cloud trail ▪ #2 – Configure cloud trail log file delivery to cloud watch logs ▪ #3 – Create a CloudWatch alarm for a delete event
  • 31. How keys are protected? ▪ How are the secrets protected? ▪ Secrets manager integrates with Amazon KMS to protect the secrets ▪ Every secret is protected with a unique data encryption key which is in turn protected via a customer master key. Secrets are protected using envelope encryption ▪ You can use the same or different customer master keys for each secret you protect ▪ You can change the customer master key (CMK) at any time but secrets manager does not re-encrypt existing secrets using the new CMK until the value changes.
  • 32. Ways to access secrets ▪ Programmatically via supplied SDKs and boto3 ▪ Via API call ▪ Must use TLS and Perfect Forward Secrecy ▪ Must authenticate with a signed request using AWS secret key ▪ Via AWS CLI
  • 33. What’s missing? ▪ No “break glass” functionality (yet). ▪ No support for “dynamic” secrets (e.g. secrets that are generated on the fly and live for a specific duration of time)
  • 34. Reference Material ▪ When building this presentation, I leveraged slide material and documentation from both Amazon Web Services and OWASP (thanks to both of these awesome organizations).