This document provides an overview of managing identities and secrets when using AWS. It discusses some common problems around inconsistent usernames and multiple AWS accounts. It then introduces AWS Directory Service as a way to establish a single identity source. SAML 2.0 and IdP are presented as methods to federate authentication. Automating CLI access with saml2aws is also covered. The document emphasizes that infrastructure should be coded and secrets should not be stored in code. It presents Unicreds, a tool built by Versent to help customers securely store and retrieve secrets in AWS using KMS, DynamoDB, and IAM. Key points are that KMS is integral to securing data on AWS and automation tools should aim to make secrets
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Level 500: Let's Get (Really) Technical – Versent
1. Rowan Udell, Senior Consultant, Versent
Lucas Chan, Senior Consultant, Versent
Mark Wolfe, Digital and Cloud Consultant, Versent
Level 500: Let's Get (Really) Technical
5. Automation is a hard requirement
It's the only way to do this right
AND
It's not easy
6. We access AWS in many different ways.
• AWS web console / CLI / API
• Access controlled with IAM user accounts and groups.
• Policies applied at the group or user level.
• Result: You probably have a lot of AWS accounts with a lot of IAM users
• Result: You probably have a lot of variations of your username too
Our Identity Problem
27. 1. AWS Directory Service is your foot in the door
2. IdP with SAML 2.0 is your happy place
3. Same principles apply for API access
Federation: Summary
32. Most of our customers have a secret server/service, but:
Current Situation
1. Not integrated with AWS
2. Typically on an internal network
3. Operators and DevOps typically copy these secrets into
source code/config tools
33. • Uses KMS to manage encryption/decryption
• Data stored in Dynamo
• Access controlled by IAM
• Auditing provided by Cloudtrail
• No servers…
• Port of credstash to golang with some enhancements.
• Supports Windows, Linux and OSX
To help our customers manage their secrets using Amazon native services
we built Unicreds.
Unicreds
34. Keep your secrets in your account
• Uses the Amazon platform for Key and access management
• Simplifies on/off boarding
• Auditing is available in one place
Why
35. • Automate creation, storage and retrieval of secrets in your build pipeline
• Use IAM to grant CICD or servers, selective access to secrets
• When secrets are stored and retrieved you can supply a Key Alias
• Easily integrated with tools such as Ansible, Puppet or plain shell scripts
Automation Friendly
36. • Encrypts everything in AWS
• EBS Volumes
• S3 Objects
• Lambda Environment Variables
Note: Out of the box provides encryption at rest, locked to account
boundaries ONLY.
KMS
38. When we upload a secret with unicreds.
• GenerateDataKey (KMS)
• Use half the key to encrypt (AES) the secret
• Other half used to generate a HMAC signature of the encrypted secret
• PutItem (DynamoDB)
• User supplied identifier eg. admin.apache.dev
• base64(Encrypted Secret), HMAC and base64(Encrypted Key)
• Created Date
Unicreds: How It Works
39. When we download a secret with unicreds.
• GetItem (DynamoDB)
• Retrieve encrypted secret, HMAC and encrypted key using the identifier
• Decrypt (KMS)
• Decrypt the key
• Validate the HMAC signature
• Decrypt the secret (AES)
• Return the secret to the operator or script
Unicreds: How It Works
40.
41. 1. KMS is integral to securing your data on AWS
2. Build tools to enable automation
3. Aim to make secrets management disappear
Secrets: Summary
42. • You can't keep up
• Protect them
(sometimes from themselves)
• Verification as Communication
• Less Big Brother
• More Collaboration
Trust & Verify