Level 500: Let's Get (Really) Technical – Versent
•
1 like•364 views
This document provides an overview of managing identities and secrets when using AWS. It discusses some common problems around inconsistent usernames and multiple AWS accounts. It then introduces AWS Directory Service as a way to establish a single identity source. SAML 2.0 and IdP are presented as methods to federate authentication. Automating CLI access with saml2aws is also covered. The document emphasizes that infrastructure should be coded and secrets should not be stored in code. It presents Unicreds, a tool built by Versent to help customers securely store and retrieve secrets in AWS using KMS, DynamoDB, and IAM. Key points are that KMS is integral to securing data on AWS and automation tools should aim to make secrets
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Level 500: Let's Get (Really) Technical – Versent
Similar to Level 500: Let's Get (Really) Technical – Versent (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Level 500: Let's Get (Really) Technical – Versent
- 1. Rowan Udell, Senior Consultant, Versent Lucas Chan, Senior Consultant, Versent Mark Wolfe, Digital and Cloud Consultant, Versent Level 500: Let's Get (Really) Technical
- 2. Welcome Aboard • Level Up • Iteration 0 • Simplicity vs Complexity
- 4. Hard Boundaries • Multiple Accounts • No Pet Accounts • Consistency is Key
- 5. Automation is a hard requirement It's the only way to do this right AND It's not easy
- 6. We access AWS in many different ways. • AWS web console / CLI / API • Access controlled with IAM user accounts and groups. • Policies applied at the group or user level. • Result: You probably have a lot of AWS accounts with a lot of IAM users • Result: You probably have a lot of variations of your username too Our Identity Problem
- 7. The Symptoms • lucas • lucas.chan • Lucas.Chan • lucas_chan • lucaschan • lchan • chanl • mister_chan • the_chan • chanl2 • CHNLSQ
- 8. • lucas • lucas.chan • Lucas.Chan • lucas_chan • lucaschan • lchan • chanl • mister_chan • the_chan • chanl2 • CHNLSQ The Symptoms
- 9. The Symptoms • lucas • lucas.chan • Lucas.Chan • lucas_chan • lucaschan • lchan • chanl • mister_chan • the_chan • chanl2 • CHNLSQ
- 10. • lucas • lucas.chan • Lucas.Chan • lucas_chan • lucaschan • lchan • chanl2 • CHNLSQ The Symptoms
- 11. “People talk about Hip-Hop Federation like it’s some giant living in the hillside” - Mos Def Fear Not of FEDERATION
- 12. AWS Directory Service (Simple AD or Microsoft AD) Level Up: Stage 1
- 13. Demo
- 15. AD Connector to your on-prem Active Directory Level Up: Stage 1 (Bonus Round)
- 16. Level Up: Stage 2 IdP and SAML 2.0
- 17. (Demo / Bonus Round) PING with MFA Level Up: Stage 2
- 19. Level Up: Stage 3 CLI Access with saml2aws
- 20. Level Up: Stage 3 (Demo) CLI Access with saml2aws
- 27. 1. AWS Directory Service is your foot in the door 2. IdP with SAML 2.0 is your happy place 3. Same principles apply for API access Federation: Summary
- 28. Sunlight is the best disinfectant VISIBILITY
- 29. Everything is code Infrastructure as Code
- 30. ...BUT
- 31. Everything is code BUT Secrets don’t go in code! Infrastructure as Code
- 32. Most of our customers have a secret server/service, but: Current Situation 1. Not integrated with AWS 2. Typically on an internal network 3. Operators and DevOps typically copy these secrets into source code/config tools
- 33. • Uses KMS to manage encryption/decryption • Data stored in Dynamo • Access controlled by IAM • Auditing provided by Cloudtrail • No servers… • Port of credstash to golang with some enhancements. • Supports Windows, Linux and OSX To help our customers manage their secrets using Amazon native services we built Unicreds. Unicreds
- 34. Keep your secrets in your account • Uses the Amazon platform for Key and access management • Simplifies on/off boarding • Auditing is available in one place Why
- 35. • Automate creation, storage and retrieval of secrets in your build pipeline • Use IAM to grant CICD or servers, selective access to secrets • When secrets are stored and retrieved you can supply a Key Alias • Easily integrated with tools such as Ansible, Puppet or plain shell scripts Automation Friendly
- 36. • Encrypts everything in AWS • EBS Volumes • S3 Objects • Lambda Environment Variables Note: Out of the box provides encryption at rest, locked to account boundaries ONLY. KMS
- 37. • Encrypt • Decrypt • GenerateDataKey KMS API
- 38. When we upload a secret with unicreds. • GenerateDataKey (KMS) • Use half the key to encrypt (AES) the secret • Other half used to generate a HMAC signature of the encrypted secret • PutItem (DynamoDB) • User supplied identifier eg. admin.apache.dev • base64(Encrypted Secret), HMAC and base64(Encrypted Key) • Created Date Unicreds: How It Works
- 39. When we download a secret with unicreds. • GetItem (DynamoDB) • Retrieve encrypted secret, HMAC and encrypted key using the identifier • Decrypt (KMS) • Decrypt the key • Validate the HMAC signature • Decrypt the secret (AES) • Return the secret to the operator or script Unicreds: How It Works
- 41. 1. KMS is integral to securing your data on AWS 2. Build tools to enable automation 3. Aim to make secrets management disappear Secrets: Summary
- 42. • You can't keep up • Protect them (sometimes from themselves) • Verification as Communication • Less Big Brother • More Collaboration Trust & Verify
- 46. Thank you!