Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Secrets for Best Practices

140 views

Published on

AWS Secrets Manager - Best Practices conducted at AWS Community Day, Bangalore 2019

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AWS Secrets for Best Practices

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices & Use cases - AWS Secrets Manager Vijaya Nirmala Gopal
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vijaya Nirmala Gopal (Nirmala) DevOps Solutions Lead - Cloud, Sonata Software Limited https://cloudgoddess.blogspot.com/ Ansible Galaxy Contributor
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ❏ AWS Secrets Manager Overview ❏ Top security threats with Credentials ❏ Overlooked Risks ❏ Compliances for AWS & Cloud ❏ Use case for the day ❏ Logging/Monitoring - Cloudwatch ❏ Auditing - CloudTrail ❏ Notifications - SNS ❏ Recover & Restore ❏ With Infrastructure as Code ❏ For Configuration Management Solution ❏ Quick compare ❏ Need of the moment Agenda
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager - Overview ❏ Key Features - hold & automate secret rotation Automatic password generator [aws cli] ❏ Pay as you go; No upfront or setup cost ❏ Fine grained IAM access control ❏ Compliance ❏ Audit/Monitor
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top security threats Risk Assessments shows below reasons ● Open network ports ● Broad permissions for Application(s) ● Wider privileges for IAM user ● Unprotected keys and credentials
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overlooked Risks ??? Shared by Teri Radichel, CEO, 2nd Sight Lab, AWS Community Hero
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PCI DSS & CIS with AWS Secrets Manager ❏ Enforcement on securing credentials ❏ Defined rules for IAM or any other credentials ❏ Recommends/demands keys rotation ❏ Enable sufficient logging ❏ Have audit controls in place
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case - AWS Secrets Manager
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SSM - AWS CLI Creation & Retrieval of secrets
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Cloudformation ● Use resolve tag to fetch or refer the secrets from Secrets Manager {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} “MasterPassword”: ‘{{ resolve:secretsmanager:RDS-master-password:SecretString:password}}’
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Terraform ● Use terraform module ‘aws_secretsmanager_secret’ and ‘aws_secretsmanager_secret_version’ create secrets ● Use output to view the secrets ● AWS CLI for fetching the secrets in user_data
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases How secrets fit with Ansible ❏ Ansible aws_secret - Lookup plugin for secrets manager ❏ Use & register with CLI ❏ Know how to fetch and store
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using AWS CLI
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using API(ex. Python)
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing Secrets Usage - CloudTrail ❏ Risk Assessments shows below reasons against credentials misuse ❏ Open network ports ❏ Broad permissions for Application(s) ❏ Wider privileges for IAM user ❏ Unprotected keys and credentials
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudTrail - Delete ❏ what happens on Delete ❏ Be known to mischievous actions ❏ Take back the decision in 7 days ❏ Think through the decision ❏ Check integrity by running regressions
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring/Logging Secrets - CloudWatch ❏ Calls made ❏ Access error messages ❏ Sources reaching onto access secrets with timelines ❏ Analyse and action of unused or unrotated secrets
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SNS - AWS Secrets Manager Get alerted on actions or customize triggers for alert ❏ On Delete ❏ On permission denied to track suspicious access ❏ API Calls ❏ Other examples
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparison with other options AWS SSM Parameter store ❏ Rotate with custom Lambda ❏ Lambda creation and maintenance ❏ No Cross account access ❏ S3 - In Rest & Transit Encrypted texts ❏ Ansible Vault ❏ VM or Instance ❏ Custom made mechanism to rotate AWS Secrets Manager ❏ All secrets are encrypted ❏ Built in Lambda to rotate secrets ❏ Billed per secret stored and API calls ❏ Integration password rotation ❏ Random password generation
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step Ahead - git-secrets Access Keys/Credentials in Git Repos ❏ scrutinize the most valuable targets ❏ prevents keys/credentials anywhere in/into repos ❏ Add as Jenkins job to checkout repos dynamically and scan and report
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×