SlideShare a Scribd company logo
1 of 31
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview
AWS Secrets Manager enables customers to rotate, manage, and retrieve
database credentials, API keys, and other secrets throughout their lifecycle.
• IT Admins: store and manage access to secrets securely and at scale
• Security Admins: audit and monitor the use of secrets, and rotate secrets
without a risk of breaking applications
• Developers: avoid dealing with secrets in their applications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers want to do?
Use secrets within their
applications to connect to
databases, APIs, and other
resources
Rotate those secrets
regularly
Specify and control where,
how, and by whom secrets
are used
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What challenges are they facing?
Existing solutions are
complex to operate or
too expensive
Unreliable rotation
processes result in
outages
Too many humans with
unnecessary access to
secrets
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager
Lifecycle management for secrets such as database
credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Features
Rotate Secrets
Safely
Fine-grained
access control
• Built-in integrations for rotating MySQL, PostgreSQL, and
Amazon Aurora on RDS
• Extensible with Lambda
• Use versioning so that applications don’t break when secrets
are rotated
• IAM policies
• Tag-based access control and hierarchical names for scalability
• Resource-based policies for cross-account access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Features
• Encrypted by default using encryption keys owned by the customer
• Integrated with CloudTrail, CloudWatch. E.g., send a SNS
notification when an administrator deletes a secret
• No annual license or up front cost
• $0.40 per secret per month (pro-rated based on the number of
hours)
• $0.05 per 10,000 API calls
Pay as you go
Secure, audit, and
monitor
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparing AWS Systems Manager Parameter Store
AWS Systems Manager
Parameter Store
AWS Secrets Manager
• A service to store & retrieve
configuration data, including secrets.
• Build and schedule your own rotation
using Lambda and other AWS services.
• Free service most appropriate for
customers without specific rotation
requirements.
• A service to manage the lifecycle for
secrets in your organization.
• Routinely, confidently, and automatically
rotate secrets to help meet security and
compliance requirements.
• Underlying technology developed for
managing secrets internally at Amazon.
• Paid service for customers who derive
value from reliable and safe rotation.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demonstration 1
Store and retrieve Secret
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demonstration Recap
• Load secret
• Initial secret loaded into Secrets Manager for management.
• Verify permissions and rotation configuration.
• Retrieve secret
• Application code retrieves authorized secrets from Secrets Manager.
• Credentials and permissions provided by IAM role attached to EC2.
• Rotate secret
• On-demand rotation of secret initiated.
• Secrets Manager rotates credential in backend resource.
• New version of secret returned via Secrets Manager API calls.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical Use Cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical use cases – Use secret within application
Connect to database from application code
• DBA loads application specific database
credentials into AWS Secrets Manager.
• DevOps engineer deploys application
with an attached AWS IAM role.
• Application bootstrapping calls Secrets
Manager using permissions provided by
the IAM role, retrieves credentials, and
connects to the database.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Retrieve Secret
AWS
Resources
Your Code
EC2 Instance
Other
Resources
AWS
credentials
via IAM roles
DB creds
loaded
Safe
rotation
Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rotate Secret (Custom)
AWS
Secrets
Manager
Your Code
Custom
Backend
Resource
(e.g. 3rd
party API
key)
1)
Rotation
event
2) Multi-step
rotation (create,
set, test, finish)
3) Operations
per rotation
strategy
supported by
backend
Custom
Lambda
Rotator
(You write)
4) New cred
promoted to
active
5) Secret
retrieval
6) Connection using new credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demonstration 2
Manage and retrieve database credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical use cases – rotate secret
Rotate database credentials used by
application code without interruption
• Secrets Manager creates a new
credential with equivalent permissions.
• The new credential is promoted and
returned via subsequent Secrets
Manager API calls.
• Secrets Manager safely disables the
original credential.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rotate Secret (Integrated)
AWS
Secrets
Manager
Your Code
Integrated
Backend
Resource
1) Rotation event 2) New credential
creation initiated
3) New credential
creation
completed
4) New credential
promoted to
active
5) Secret retrieval
gets new version
6) Connection using new credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical use cases – control access, monitor, and
audit secret
Use the AWS eco-system to control access,
monitor, and audit secrets
• IAM policies for access control
• Tag-based access control
• Resource-based policies for access control
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Background: IAM Roles
AWS
Resources
Your Code
Operating
System
EC2 Instance
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by
policy attached to role
Also works with AWS Lambda & Amazon ECS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access control – using IAM policies
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
"Resource": "arn:aws:secretsmanager:us-east-2:476697075236:secret:My_Test_Secret/*"
}
]
}
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access control – using Tags
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Action": ["secretsmanager:Describe*", "secretsmanager:GetSecretValue"],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"secretsmanager:ResourceTag/<TAG_KEY>": "<TAG_VALUE>"
}
}
}
]
}
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access control – using resource-based policies
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::ACCOUNT_NUMBER:role/demo_role"},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {"ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT"}}
}
]
}
$aws secretsmanager put-resource-policy --secret-id MY_TEST_SECRET --resource-policy
file://RESOURCE_POLICY.json
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
At-rest
• Secrets encrypted at rest using
AWS Key Management
Service (KMS).
• Choose your desired Customer
Master Key (CMK) or AWS
managed default encryption
key.
Encryption
In-transit
• Secrets encrypted in transit
using Transport Layer Security
(TLS).
• All API calls authenticated by
SigV4 verification.
All secrets protected at-rest and in-transit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Audit access – using AWS CloudTrail
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitor access – using Amazon CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integration With Parameter Store
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
As you get started…
1. No plaintext secrets
2. Unique secrets per region, per environment, per account
3. Rotate secrets regularly
4. Control permissions
5. Tags and hierarchical names to scale secrets management
6. Monitor and audit use; deprecate unused secrets
7. No charge for versions of a secret; no charge for using the
default encryption key
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced Use Cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced use cases – manage and rotate Twitter
API key
Step 1: Store a Twitter API key and bearer token in Secrets Manager.
Step 2: Create a custom Lambda function to rotate the bearer token.
Step 3: Configure your application to retrieve the bearer token from Secrets Manager.
Step 4: Configure Secrets Manager to use the custom Lambda function to rotate the bearer token automatically.
Detailed instructions available at: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and-
bearer-token-automatically-with-aws-secrets-manager/

More Related Content

What's hot

AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Serverless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesServerless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon API Gateway and AWS Lambda: Better Together
Amazon API Gateway and AWS Lambda: Better TogetherAmazon API Gateway and AWS Lambda: Better Together
Amazon API Gateway and AWS Lambda: Better TogetherDanilo Poccia
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 

What's hot (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Serverless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesServerless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best Practices
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
Amazon API Gateway and AWS Lambda: Better Together
Amazon API Gateway and AWS Lambda: Better TogetherAmazon API Gateway and AWS Lambda: Better Together
Amazon API Gateway and AWS Lambda: Better Together
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Intro to AWS Lambda
Intro to AWS Lambda Intro to AWS Lambda
Intro to AWS Lambda
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
ElastiCache & Redis
ElastiCache & RedisElastiCache & Redis
ElastiCache & Redis
 

Similar to AWS Secrets Manager

AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 
HSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access ManagementHSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access ManagementAmazon Web Services
 
Introduction to Threat Detection and Remediation
Introduction to Threat Detection and RemediationIntroduction to Threat Detection and Remediation
Introduction to Threat Detection and RemediationAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Amazon Web Services
 
Introduction to AWS for Mobile Developers
Introduction to AWS for Mobile DevelopersIntroduction to AWS for Mobile Developers
Introduction to AWS for Mobile DevelopersAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Amazon Web Services
 

Similar to AWS Secrets Manager (20)

AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
HSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access ManagementHSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access Management
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Introduction to Threat Detection and Remediation
Introduction to Threat Detection and RemediationIntroduction to Threat Detection and Remediation
Introduction to Threat Detection and Remediation
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
 
Introduction to AWS for Mobile Developers
Introduction to AWS for Mobile DevelopersIntroduction to AWS for Mobile Developers
Introduction to AWS for Mobile Developers
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Secrets Manager

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overview AWS Secrets Manager enables customers to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. • IT Admins: store and manage access to secrets securely and at scale • Security Admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications • Developers: avoid dealing with secrets in their applications
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What do customers want to do? Use secrets within their applications to connect to databases, APIs, and other resources Rotate those secrets regularly Specify and control where, how, and by whom secrets are used
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What challenges are they facing? Existing solutions are complex to operate or too expensive Unreliable rotation processes result in outages Too many humans with unnecessary access to secrets
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager Lifecycle management for secrets such as database credentials and API keys. Rotate Secrets Safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features Rotate Secrets Safely Fine-grained access control • Built-in integrations for rotating MySQL, PostgreSQL, and Amazon Aurora on RDS • Extensible with Lambda • Use versioning so that applications don’t break when secrets are rotated • IAM policies • Tag-based access control and hierarchical names for scalability • Resource-based policies for cross-account access
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features • Encrypted by default using encryption keys owned by the customer • Integrated with CloudTrail, CloudWatch. E.g., send a SNS notification when an administrator deletes a secret • No annual license or up front cost • $0.40 per secret per month (pro-rated based on the number of hours) • $0.05 per 10,000 API calls Pay as you go Secure, audit, and monitor
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparing AWS Systems Manager Parameter Store AWS Systems Manager Parameter Store AWS Secrets Manager • A service to store & retrieve configuration data, including secrets. • Build and schedule your own rotation using Lambda and other AWS services. • Free service most appropriate for customers without specific rotation requirements. • A service to manage the lifecycle for secrets in your organization. • Routinely, confidently, and automatically rotate secrets to help meet security and compliance requirements. • Underlying technology developed for managing secrets internally at Amazon. • Paid service for customers who derive value from reliable and safe rotation.
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 1 Store and retrieve Secret
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration Recap • Load secret • Initial secret loaded into Secrets Manager for management. • Verify permissions and rotation configuration. • Retrieve secret • Application code retrieves authorized secrets from Secrets Manager. • Credentials and permissions provided by IAM role attached to EC2. • Rotate secret • On-demand rotation of secret initiated. • Secrets Manager rotates credential in backend resource. • New version of secret returned via Secrets Manager API calls.
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical Use Cases
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – Use secret within application Connect to database from application code • DBA loads application specific database credentials into AWS Secrets Manager. • DevOps engineer deploys application with an attached AWS IAM role. • Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credentials, and connects to the database.
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieve Secret AWS Resources Your Code EC2 Instance Other Resources AWS credentials via IAM roles DB creds loaded Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Custom) AWS Secrets Manager Your Code Custom Backend Resource (e.g. 3rd party API key) 1) Rotation event 2) Multi-step rotation (create, set, test, finish) 3) Operations per rotation strategy supported by backend Custom Lambda Rotator (You write) 4) New cred promoted to active 5) Secret retrieval 6) Connection using new credential
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 2 Manage and retrieve database credential
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – rotate secret Rotate database credentials used by application code without interruption • Secrets Manager creates a new credential with equivalent permissions. • The new credential is promoted and returned via subsequent Secrets Manager API calls. • Secrets Manager safely disables the original credential.
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Integrated) AWS Secrets Manager Your Code Integrated Backend Resource 1) Rotation event 2) New credential creation initiated 3) New credential creation completed 4) New credential promoted to active 5) Secret retrieval gets new version 6) Connection using new credential
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – control access, monitor, and audit secret Use the AWS eco-system to control access, monitor, and audit secrets • IAM policies for access control • Tag-based access control • Resource-based policies for access control
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Background: IAM Roles AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using IAM policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": "arn:aws:secretsmanager:us-east-2:476697075236:secret:My_Test_Secret/*" } ] }
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using Tags { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:Describe*", "secretsmanager:GetSecretValue"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "secretsmanager:ResourceTag/<TAG_KEY>": "<TAG_VALUE>" } } } ] }
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using resource-based policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::ACCOUNT_NUMBER:role/demo_role"}, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Condition": {"ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT"}} } ] } $aws secretsmanager put-resource-policy --secret-id MY_TEST_SECRET --resource-policy file://RESOURCE_POLICY.json
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At-rest • Secrets encrypted at rest using AWS Key Management Service (KMS). • Choose your desired Customer Master Key (CMK) or AWS managed default encryption key. Encryption In-transit • Secrets encrypted in transit using Transport Layer Security (TLS). • All API calls authenticated by SigV4 verification. All secrets protected at-rest and in-transit
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit access – using AWS CloudTrail
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitor access – using Amazon CloudWatch
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integration With Parameter Store
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. As you get started… 1. No plaintext secrets 2. Unique secrets per region, per environment, per account 3. Rotate secrets regularly 4. Control permissions 5. Tags and hierarchical names to scale secrets management 6. Monitor and audit use; deprecate unused secrets 7. No charge for versions of a secret; no charge for using the default encryption key
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Use Cases
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced use cases – manage and rotate Twitter API key Step 1: Store a Twitter API key and bearer token in Secrets Manager. Step 2: Create a custom Lambda function to rotate the bearer token. Step 3: Configure your application to retrieve the bearer token from Secrets Manager. Step 4: Configure Secrets Manager to use the custom Lambda function to rotate the bearer token automatically. Detailed instructions available at: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and- bearer-token-automatically-with-aws-secrets-manager/