Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Secrets for Best Practices

228 views

Published on


CFP - AWS Community Day 2019
CFP - AWS Community Day 2019
100%
10

One of the best practices in Cloud solutions is reliability and consistency is using credentials and this session explains on how to Implement this practice using AWS Secrets Manager
Screen reader support enabled.




One of the best practices in Cloud solutions is reliability and consistency is using credentials and this session explains on how to Implement this practice using AWS Secrets Manager

This talk was presented at AWS Community Day Bengaluru 2019 by Vijayanirmala, Devops Solution lead, Sonata software limited

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AWS Secrets for Best Practices

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices & Use cases - AWS Secrets Manager Vijaya Nirmala Gopal
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vijaya Nirmala Gopal (Nirmala) DevOps Solutions Lead - Cloud, Sonata Software Limited https://cloudgoddess.blogspot.com/ Ansible Galaxy Contributor
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ❏ AWS Secrets Manager Overview ❏ Top security threats with Credentials ❏ Overlooked Risks ❏ Compliances for AWS & Cloud ❏ Use case for the day ❏ Logging/Monitoring - Cloudwatch ❏ Auditing - CloudTrail ❏ Notifications - SNS ❏ Recover & Restore ❏ With Infrastructure as Code ❏ For Configuration Management Solution ❏ Quick compare ❏ Need of the moment Agenda
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager - Overview ❏ Key Features - hold & automate secret rotation Automatic password generator [aws cli] ❏ Pay as you go; No upfront or setup cost ❏ Fine grained IAM access control ❏ Compliance ❏ Audit/Monitor
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top security threats Risk Assessments shows below reasons ● Open network ports ● Broad permissions for Application(s) ● Wider privileges for IAM user ● Unprotected keys and credentials
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overlooked Risks ??? Shared by Teri Radichel, CEO, 2nd Sight Lab, AWS Community Hero
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PCI DSS & CIS with AWS Secrets Manager ❏ Enforcement on securing credentials ❏ Defined rules for IAM or any other credentials ❏ Recommends/demands keys rotation ❏ Enable sufficient logging ❏ Have audit controls in place
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case - AWS Secrets Manager
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SSM - AWS CLI Creation & Retrieval of secrets
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Cloudformation ● Use resolve tag to fetch or refer the secrets from Secrets Manager {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} “MasterPassword”: ‘{{ resolve:secretsmanager:RDS-master-password:SecretString:password}}’
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Terraform ● Use terraform module ‘aws_secretsmanager_secret’ and ‘aws_secretsmanager_secret_version’ create secrets ● Use output to view the secrets ● AWS CLI for fetching the secrets in user_data
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases How secrets fit with Ansible ❏ Ansible aws_secret - Lookup plugin for secrets manager ❏ Use & register with CLI ❏ Know how to fetch and store
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using AWS CLI
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using API(ex. Python)
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing Secrets Usage - CloudTrail ❏ Risk Assessments shows below reasons against credentials misuse ❏ Open network ports ❏ Broad permissions for Application(s) ❏ Wider privileges for IAM user ❏ Unprotected keys and credentials
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudTrail - Delete ❏ what happens on Delete ❏ Be known to mischievous actions ❏ Take back the decision in 7 days ❏ Think through the decision ❏ Check integrity by running regressions
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring/Logging Secrets - CloudWatch ❏ Calls made ❏ Access error messages ❏ Sources reaching onto access secrets with timelines ❏ Analyse and action of unused or unrotated secrets
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SNS - AWS Secrets Manager Get alerted on actions or customize triggers for alert ❏ On Delete ❏ On permission denied to track suspicious access ❏ API Calls ❏ Other examples
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparison with other options AWS SSM Parameter store ❏ Rotate with custom Lambda ❏ Lambda creation and maintenance ❏ No Cross account access ❏ S3 - In Rest & Transit Encrypted texts ❏ Ansible Vault ❏ VM or Instance ❏ Custom made mechanism to rotate AWS Secrets Manager ❏ All secrets are encrypted ❏ Built in Lambda to rotate secrets ❏ Billed per secret stored and API calls ❏ Integration password rotation ❏ Random password generation
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step Ahead - git-secrets Access Keys/Credentials in Git Repos ❏ scrutinize the most valuable targets ❏ prevents keys/credentials anywhere in/into repos ❏ Add as Jenkins job to checkout repos dynamically and scan and report
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×