2. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
BESHARP CASE STUDY
beSharp follows AWS and security best practise.
We want a root account where we don’t have any
operational resource while being able to setup policies, roles
and resource access to other accounts.
๏ SSO with G-Suite as IdP
๏ Root account setup
๏ Multiple linked account setup
4. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
SECURITY TOKEN SERVICE
Enables you to request temporary, limited-privilege credentials for AWS
Identity and Access Management (IAM) users or federated users.
5. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
AND WHAT IS IAM… ?
Enables you to securely control access to AWS services and resources for
your users, offering great security, flexibility and control when using AWS.
You can create and manage:
๏ IAM users and their access
๏ Federated users access
6. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
JUST A REMINDER…
๏ IAM USER
An individual, system or application that interacts with AWS
programatically
๏ IAM ROLE
An entity that has a set of permissions, and that other entities assumes to
make calls to access AWS resources and services.
7. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
ABOUT CREDENTIALS
When requesting access through STS, it typically return a set of:
๏ Access Key ID
๏ Secret Access Key
๏ Security Token
8. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
CREDENTIALS CHAIN
1. Command line options – You can specify --region, --output, and --profile as
parameters on the command line.
2. Environment variables – AWS_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
3. The CLI credentials file – This is one of the files that is updated when you
run the command aws configure. The file is located at ~/.aws/credentials.
4. The CLI configuration file – This is another file that is updated when you run
the command aws configure. The file is located at ~/.aws/config
5. Credentials – You can associate an IAM role with each of your Amazon
Elastic Container Service (Amazon ECS) task definitions. Temporary
credentials for that role are then available to that task's containers.
6. Instance profile credentials – You can associate an IAM role with each of
your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary
credentials for that role are then available to code running in the instance.
The credentials are delivered through the Amazon EC2 metadata service.
9. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
ASSUMING IAM ROLE IN AWS CLI
You can configure the AWS CLI to use an IAM role by defining a profile for
the role in the ~/.aws/config file.
[profile myAwesomeProfile]
role_arn = arn:aws:iam::123456789012:role/myAwesomeRole
FOR PROGRAMMERS
Some SDKs will automatically pick up a set of temporary generated
credentials (i.e. .NET) . Problem is that not all SDKs are supported like
(Java, Ruby, Javascript…)
12. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
WHY?
https://eslint.org/blog/2018/07/postmortem-for-malicious-
package-publishes
IS A GOOD ENOUGH
REASON?
14. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
WHAT DOES IT DO?
A simple program devised to store securely in local the data
needed for generating short-term lived credentials with STS.
The generated credentials are valid for one hour, and
regenerated after expiration.
It overwrites directly the .aws file in the user folder.
15. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
FULL CLI INTEGRATION
By changing the file based on all CLI tools, it’s fully
compatible with any tool that is based upon the AWS CLI:
๏ CLI
๏ AWS-SDK
๏ CodeCommit
๏ All tools based on AWS CLI
๏ Terraform, Serverless, SAM, ecc…
20. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS
NEXT
๏ User Access Key and Secret Access Key support
๏ Clean credentials upon exit
๏ Multiple providers
๏ Timeout settings (cannot be less than 15 minutes)
๏ Remote DB