Securing AWS Accounts with Hashi Vault

•Download as PPTX, PDF•

0 likes•2,385 views

This document discusses using HashiCorp Vault for secrets management. It begins with an introduction and agenda. It then covers the problems with storing secrets in code or cloud services. Next, it provides an overview of HashiCorp Vault, highlighting that it allows for encrypted secrets storage and lifecycle management. It also supports identity-based access controls and dynamic secrets. The document concludes with a demo summary emphasizing best practices like rotating keys often, using dynamic secrets, restricting access with policies, and integrating OAuth.

Software

Securing AWS Accounts
with HashiCorp Vault
Shrivatsa Upadhye
Cloud Developer Advocate (VMware)
Feb 2020

2
whoami (Who am I?)
• Cloud Developer Advocate @VMWare
• Focused on Public Cloud and Application security
• Part of CloudJourneyIO team
• Love Cars, Pizza and Netflix
Follow me on Twitter/Medium/GitHub/LinkedIn : @ishrivatsa

3
Agenda
• Problem Statement
• Why do we need Secrets Management?
• Overview - HashiCorp Vault
• What are Dynamic Secrets?
• Demo

4
Problem
Statement
Access and Secret keys are used in dev and prod
environments for deploying applications
Restricting privileged access to cloud services is
crucial
Revoke the access and secret keys when not used or
compromised
Allow usage of credentials only for limited time
Audit and log the usage of credential access
Maintaining consistent user experience for managing
secrets lifecycle across different environment

5
Why do we
need Secrets
Management
?
• 1. Adoption of Microservices architecture means that
these services would communicate with each other and
external services by using API keys and other secrets
(database passwords), etc
• 2. Hardcoding of secrets within an application is NOT a
good practice as there is the risk of these secrets being
exposed on git repositories.
• 3. Hackers usually tend to exploit unencrypted secrets
and keys. This is one of the main reasons for data
breaches.
• 4. Teams working in shared public cloud
environments, need strict access controls on who can
access what portion of the infrastructure. This will allow
for centralized secrets management.

6
Hashi Vault
SELF HOSTED
AND OPERATED
FREEMIUM
MODEL –
OPENSOURCE
AND ENTERPRISE
VERSION
AVAILABLE
ENCRYPTED
SECRETS
LIFECYCLE
MANAGEMENT
OF SECRETS –
STORE, ROTATE,
REVOKE, EXPIRE
IDENTITY BASED
ACCESS TO
SECRETS
SUPPORTS
POLICIES TO
DEFINE
PERMISSIONS
FOR
USERS/SYSTEMS
CLOUD
AGNOSTIC –
WORKS WITH
AWS, AZURE AND
GOOGLE CLOUD

7
AWS Secrets Manager HashiCorp Vault
Fully Managed Self Hosted and Operated
Service Seamless secrets rotation for native services like
RDS, RedShift and DocumentDB (Might need Lambda for
some key rotation)
Secrets Rotation must be done with scripts
No lease periods for secrets Duration can be set for how long the access to secrets
are allowed
Coupled to AWS ecosystem Cloud Agnostic i.e. Works with AWS, Azure, and GCP
Limited (MariaDB, MySQL, Postgres) or no native
integration with Mongo and Kubernetes
Integrations for various opensource and licensed
databases like Influx, Mongo, Hana as well as Kubernetes
secrets
Paid service - Charged for API calls as well as storage for
every secret
Freemium model - They have an Opensource version as
well as Enterprise version
AWS Secrets Manager vs Hashi Vault

8
Dynamic Secrets
• Dynamic secrets, on the other hand, are not stored until the user or client initiates a read or GET call.
• Why dynamic secrets ?
• Leaky Applications - Dynamic secrets minimize the impact of leaky applications by ensuring credentials are
ephemeral.
• Audit Trail - Unique credentials per client makes it much easier to do forensics and understand the source of
compromise.
• Key Rotation - By attaching a lease to secrets and enforcing a maximum time to live, secrets are being
automatically rotated.
• Revocation - This makes it possible to revoke specific leases in the case of a compromise. Unique credentials
limits the blast radius of a revocation, preventing full-service outages

10
Summary
• Rotate keys often
• Leverage Dynamic Secrets
• Set vault policies to restrict access to credentials
• Use OAuth integration to improve user experience

Vault is a tool for centrally managing secrets like passwords, API keys, and certificates. It addresses the problem of "secrets sprawl" where credentials are stored insecurely in multiple places like source code, emails, and configuration files. Vault centralizes secrets management, provides access control and auditing, and generates unique short-lived credentials to reduce risk if a secret is compromised. It also supports encrypting sensitive data for additional protection. Implementing Vault involves deciding where it will run, who will manage encryption keys, which secrets it will store, where audit logs will go, and who will operate and configure the system on an ongoing basis.

Consul 1.6: Layer 7 Traffic Management and Mesh Gateways

Mitchell Pronschinske

This document provides an overview of Consul L7, a multi-cloud service networking platform. It discusses background on the transition to multi-cloud, Consul's approach to cloud networking, and principles around API-driven configuration, running services anywhere, and extending integrations. The rest of the document outlines basic Consul configuration, traffic routing, shifting, multi-cluster gateways, service failover, and using metrics and tracing with Envoy proxies.

HashiTLS Demystifying Security Certs

Mitchell Pronschinske

In this talk, we will begin our journey looking at the RFCs behind these technologies. Next, we will use OpenSSL, CFSSL, and mkcert to validate what we have learned about X509 v3 certificates. Then we will use the certificates we make to bootstrap Consul, Vault, and Nomad clusters with mTLS enabled so we can get familiar with terminology and error messages. Finally, we will look at their source code to learn how we might implement the same ideas in our projects.

Hashicorp Vault: Open Source Secrets Management at #OPEN18

Kangaroot

Smart networking with service meshes

Mitchell Pronschinske

The document discusses service meshes and Consul. It provides an overview of smart networking principles like service discovery, identity, authorization and encryption between services. It describes how a service mesh like Consul separates the control plane and data plane. The control plane handles configuration and policy while the data plane handles traffic routing. The document outlines Consul's architecture, usage and capabilities like service discovery, configuration and segmentation. It also previews exercises on exploring Consul's service discovery, KV store and service mesh features.

Delivering Secret Zero: Vault AppRole with Terraform and Chef

Amanda MacLeod

This document discusses using AppRole authentication in Vault to securely deliver authentication tokens to programmatic clients. AppRole allows splitting the authentication process across separate systems by using a static RoleID and unique, single-use SecretID. The RoleID can be distributed openly while the SecretID is delivered securely by systems like Terraform, Chef or Nomad. When combined, the RoleID and SecretID provide a Vault authentication token that follows the principle of least privilege without storing credentials on central systems.

Overview of secret management solutions and architecture

Yuechuan (Mike) Chen

The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points: - Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets. - An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools. - Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions. - AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...

Stenio Ferreira

The document discusses using Vault to securely manage secrets for applications deployed to Pivotal Cloud Foundry (PCF). It describes the typical Vault workflow, how Spring Cloud Vault can integrate Vault with PCF applications, and challenges with this approach. It then introduces the Vault PCF Service Broker, which solves issues by binding applications to Vault upon deployment, generating unique policies and tokens, and injecting credentials as environment variables. It demonstrates the service broker configuration and usage, and discusses limitations including that apps are still responsible for interacting with Vault and bootstrapping secrets.

This document discusses Amazon Web Services (AWS) security configuration and tools. It provides AWS configuration options like Amazon S3, EC2, VPC, IAM, RDS and Elastic Beanstalk. It also discusses security groups, users, credentials and accessing AWS resources. The document shares links to AWS security documentation and best practices. It includes a demonstration of using forensic tools like Volatility on a Linux EC2 instance memory capture to analyze processes, network configuration and loaded kernel modules.

Secret Management with Hashicorp’s Vault

AWS Germany

When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed. HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing. This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.

Introduction to Virtual Kubelet

Mitchell Pronschinske

This document introduces Virtual Kubelet, which extends the Kubernetes API to serverless container platforms. It treats the concept of pods and nodes abstractly, allowing pods to run on platforms like ACI and Fargate. Virtual Kubelet implements a provider interface to manage the pod lifecycle on these platforms. It also allows hybrid use cases like running traditional and serverless pods together. The document demonstrates how Virtual Kubelet can schedule pods to ACI from an AKS cluster and to Nomad from a Kubernetes cluster.

Practical Guide to Securing Kubernetes

Lacework

This document provides an overview and best practices for securing Kubernetes (K8s) clusters. It discusses common threats like exposed dashboards, APIs, and etcd stores. It also covers risks from within the cluster like compromised nodes and pods or vulnerabilities in container images. The document recommends 10 essential practices for securing K8s like image scanning, role-based access control, security boundaries, upgrades, pod security policies, node hardening, audit logging, and host/container logging. It emphasizes the importance of a security-aware development process and provides resources for further information.

Secret Management with Hashicorp Vault and Consul on Kubernetes

An Nguyen

The document discusses secret management with Hashicorp Vault and Consul on Kubernetes. It begins with an overview of secret management and why it is important. It then discusses traditional insecure approaches to secret management versus modern secure approaches. Hashicorp Vault is introduced as a tool for modern secret management that provides encrypted secret storage, access control, auditing and more. Features of Vault like leasing, dynamic credentials, authentication methods and enterprise features are covered. The document concludes with demos of using Vault with legacy and new applications on Kubernetes.

Of CORS thats a thing how CORS in the cloud still kills security

John Varghese

This document discusses how Cross-Origin Resource Sharing (CORS) is intended to allow cross-domain requests but can impact security if misconfigured. CORS uses HTTP headers to enable controlled cross-domain access and is supported by services like Amazon S3, CloudFront, API Gateway, and Lambda. While CORS allows legitimate cross-domain content sharing, misconfigurations can bypass the same-origin policy and allow attackers to steal user sessions, credentials, or other sensitive data across domains. The document provides examples of how CORS has been exploited in the past and cautions that even minor CORS issues can become major security vulnerabilities when user contexts are involved.

AWS Code + AWS Device Farm

Amazon Web Services

This document discusses AWS services for software development including CodeCommit, CodePipeline, and CodeDeploy. CodeCommit is a fully managed source control service that allows developers to securely store code in Git repositories. CodePipeline is a continuous delivery service that automates the release process through customizable workflows. CodeDeploy is an automated deployment service that simplifies deploying applications to any instance, including EC2 instances, on-premises servers, or serverless Lambda functions. The document provides examples of how these services can be used together to enable continuous delivery of code changes from a source code repository through build, test and deployment pipelines.

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...

Amanda MacLeod

Advanced Security Best Practices Masterclass

Amazon Web Services

This document provides an overview of best practices for security on AWS. It discusses the shared responsibility model between AWS and customers. It covers identity and access management with IAM, including creating users, permissions, groups, and conditions. It also discusses networking with Amazon VPC, security groups for EC2 instances, and secrets management. Additional topics include encryption, auditing with CloudTrail, passwords, credential rotation, MFA, roles, and reducing root access.

PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Evident.io

Vault Agent and Vault 0.11 features

Mitchell Pronschinske

(ENT401) Hybrid Infrastructure Integration | AWS re:Invent 2014

Amazon Web Services

Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.

Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers

DevOps.com

IT infrastructure and apps are moving en masse to public clouds – AWS, Azure, Google – understanding leveraging infrastructure as code to provision the network services, connectivity and security to maximize simplicity, security and performance is critical to DevOps success in building and managing the new Enterprise Multi-Cloud Backbone. In this webinar, you’ll learn more about critical use cases such as (1) Using Terraform to spin up transit networking services in AWS, (2) profile-based secure cloud access for developers, and (3) VPC secure egress filtering to meet compliance, including deeper dives into: Deploying the network as code using automation tools Addressing specific operational challenges for high availability, across multiple VPCs Isolating environments for dev and test easily Design pattern details and the pros and cons of each approach Understanding the limitation of native services and how to add value and capabilities with advanced services How to architect an Enterprise Multi-Cloud Backbone to support all your cloud use case

Keeping a Secret with HashiCorp Vault

Mitchell Pronschinske

This document discusses how to retrofit applications to use Vault for secret management. It describes options for authenticating applications to Vault such as using approle authentication where the application is given a role ID and single-use secret ID. It also discusses tools like Vault Agent and Consul Template that can help retrieve secrets from Vault and make them available to applications. The document emphasizes best practices for secure introduction such as short token lifetimes and limiting exposure of authentication secrets.

Credential store using HashiCorp Vault

Mayank Patel

The document discusses HashiCorp Vault, which is a tool for securely managing secrets and sensitive data. It provides secure credential management and features like dynamic secrets, data encryption, leasing and key rotation, revocation, and audit controls. It integrates with databases, tools, and other systems. The presentation covers common challenges Vault aims to address, use cases, features, and includes a demo.

Secret Management Architectures

Stenio Ferreira

The document discusses recommendations for improving security when secrets are stored in plain text. It provides an overview of different tools that can be used to encrypt and manage secrets, including Git-crypt, KeyBase, AWS KMS, Azure Key Management, and HashiCorp Vault. The document compares different approaches to securing secrets from limited access in plain text to limited access with encryption and encryption with centralized management. It also outlines some common questions around rotating, auditing, and accessing secrets securely across different environments.

CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault

CodiLime

Windows Azure Security & Compliance

Nuno Godinho

EKS security best practices

John Varghese

Using Splunk/ELK for auditing AWS/GCP/Azure security posture

Jose Hernandez

Securing Your CI Pipeline with HashiCorp Vault - P2

Ashnikbiz

Today, CI/CD is becoming a practice for optimum software delivery in almost every organization. What is key is how you manage the secrets in your pipeline, especially in a large organization with multiple projects, across several teams. Hashicorp Vault helps organizations to centrally manage secrets even in your CI/CD pipelines. WEBINAR COVERS: Why is it critical to secure your pipeline which needs to access a lot of important secrets in order to provision and deploy How Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log Customer use cases and scenarios Demo: How to secure your CI pipeline with Vault Watch on demand: https://bit.ly/35QCq0u

Security in the cloud Workshop HSTC 2014

Akash Mahajan

What's hot

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

Amazon Web Services

Secret Management with Hashicorp’s Vault

AWS Germany

Introduction to Virtual Kubelet

Mitchell Pronschinske

Practical Guide to Securing Kubernetes

Lacework

Secret Management with Hashicorp Vault and Consul on Kubernetes

An Nguyen

Of CORS thats a thing how CORS in the cloud still kills security

John Varghese

AWS Code + AWS Device Farm

Amazon Web Services

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...

Amanda MacLeod

Advanced Security Best Practices Masterclass

Amazon Web Services

PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Evident.io

Vault Agent and Vault 0.11 features

Mitchell Pronschinske

(ENT401) Hybrid Infrastructure Integration | AWS re:Invent 2014

Amazon Web Services

Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers

DevOps.com

Keeping a Secret with HashiCorp Vault

Mitchell Pronschinske

Credential store using HashiCorp Vault

Mayank Patel

Secret Management Architectures

Stenio Ferreira

CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault

CodiLime

Windows Azure Security & Compliance

Nuno Godinho

EKS security best practices

John Varghese

Using Splunk/ELK for auditing AWS/GCP/Azure security posture

Jose Hernandez

What's hot (20)

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

Secret Management with Hashicorp’s Vault

Introduction to Virtual Kubelet

Practical Guide to Securing Kubernetes

Secret Management with Hashicorp Vault and Consul on Kubernetes

Of CORS thats a thing how CORS in the cloud still kills security

AWS Code + AWS Device Farm

Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...

Advanced Security Best Practices Masterclass

PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Vault Agent and Vault 0.11 features

(ENT401) Hybrid Infrastructure Integration | AWS re:Invent 2014

Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers

Keeping a Secret with HashiCorp Vault

Credential store using HashiCorp Vault

Secret Management Architectures

CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault

Windows Azure Security & Compliance

EKS security best practices

Using Splunk/ELK for auditing AWS/GCP/Azure security posture

Similar to Securing AWS Accounts with Hashi Vault

Securing Your CI Pipeline with HashiCorp Vault - P2

Ashnikbiz

Security in the cloud Workshop HSTC 2014

Akash Mahajan

Demistifying serverless on aws

AWS Riyadh User Group

Five Tips for Running Cloudera on AWS

Cloudera, Inc.

Hadoop security @ Philly Hadoop Meetup May 2015

Shravan (Sean) Pabba

This document provides an overview of Apache Hadoop security, both historically and what is currently available and planned for the future. It discusses how Hadoop security is different due to benefits like combining previously siloed data and tools. The four areas of enterprise security - perimeter, access, visibility, and data protection - are reviewed. Specific security capabilities like Kerberos authentication, Apache Sentry role-based access control, Cloudera Navigator auditing and encryption, and HDFS encryption are summarized. Planned future enhancements are also mentioned like attribute-based access controls and improved encryption capabilities.

AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...

Amazon Web Services

We’ve entered a new connectivity oriented world where we can access information any time, any place, on any device, 24 hours a day, and cloud computing is a major enabler of this flexibility. Like you, more and more businesses are looking to the cloud for better, faster, more powerful and affordable communications and while many would think that security in the cloud is much different, the reality is less dramatic. Moving to the cloud still requires using proven security techniques, but sometimes in new and dynamic ways that adapt to the elastic nature of cloud architecture. Join us as we discuss the latest cloud security solutions, including real world examples of how organizations like yours are succeeding against new and evolving threats. We will examine security considerations beyond what is provided by security-conscious cloud providers like Amazon Web Services and what additional factors you might want to think about when deploying to the cloud.

Getting Started With AWS Security

Amazon Web Services

1) Getting Started with AWS Security provides an overview of AWS security best practices including understanding AWS shared responsibility model, building strong compliance foundations, integrating identity and access management, enabling detective controls, establishing network security, implementing data protection, optimizing change management, and automating security functions. 2) Statoil migrated applications and infrastructure to AWS to achieve a cloud-first strategy. They established security automation, self-service provisioning, and continuous monitoring using native AWS services to securely manage their AWS environment. 3) Evolving security architecture practices involves treating security as part of the development process through automation, embedding architecture into code repositories, and ensuring solutions provide continuous audit and compliance.

Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation

TriNimbus

Secure Content Delivery Using Amazon CloudFront and AWS WAF

Amazon Web Services

Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.

Secure Content Delivery Using Amazon CloudFront and AWS WAF

Amazon Web Services

MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...

MongoDB

This document provides an overview of a presentation given by Chris Munns on building applications with MongoDB Atlas and AWS Lambda. It introduces Chris and his background, defines serverless architecture using AWS Lambda and how it can be used to build applications without having to provision or manage servers. It then discusses using MongoDB Atlas for flexible and scalable database hosting in the cloud and how it can be integrated with AWS Lambda for building serverless applications.

Intelligent serverless-streaming-pipeline-using-kinesis-fargate-cfn

Yogesh Sharma

This document discusses using intelligent serverless and scalable real-time data pipelines with AWS Kinesis, Fargate, and CloudFormation (CFN). It begins with an introduction of the speaker and agenda. It then provides an overview of serverless computing and demonstrates how to use Kinesis for real-time streaming. Next, it explains what AWS Fargate is and its benefits. It demonstrates integrating Kinesis and Fargate using CFN. Finally, it briefly discusses some new trends before thanking the audience.

Vault Open Source vs Enterprise v2

Stenio Ferreira

This document discusses HashiCorp Vault, a tool for secrets management. It was founded in 2012 and enables provisioning, securing, connecting, and running infrastructure for applications across clouds. The document outlines how Vault provides centralized management of dynamic secrets, encryption as a service, and secure storage of secrets. It also describes Vault Enterprise features like replication, team tools for access control and multi-factor authentication, and governance/compliance features like Sentinel rules. An example case study of Adobe using Vault is also provided.

Secure Configuration and Automation Overview

Amazon Web Services

by Brad Dispensa, Sr. Solutions Architect, AWS Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200

Benefits of Cloud Computing

Amazon Web Services

This document discusses AWS and cloud adoption journeys. It describes typical stages of adoption including project, foundation, migration, and reinvention stages. It recommends initial steps for a cloud journey such as creating a minimum viable product, cloud center of excellence, and discovery workshop. The document provides examples of customer cloud journeys over multiple years and discusses concepts like landing zones, account structure, network setup, identity and access management, and service catalog.

Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...

Perforce

This document discusses the adoption of distributed version control systems (DVCS) like Git and Mercurial in enterprises. It outlines the opportunities that DVCS provides, such as fast local workflows and independent contributors, but also the challenges of using DVCS in enterprises, like lack of visibility and poor security. The document then introduces Perforce's Helix solutions for using DVCS in enterprises, including Helix Distributed for working offline, Helix GitSwarm for a distributed environment with Git workflows, and Helix Shared for a centralized enterprise repository. It argues that these solutions provide the freedom of DVCS with the discipline required for large enterprise projects.

AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge

Amazon Web Services

This document discusses Broadridge's use of AWS serverless technologies like AWS Lambda and Amazon API Gateway to build their Experience Manager application. It provides an overview of Broadridge, describes the problem of migrating essential communications from physical to digital, and how the Experience Manager solution leverages AWS services. It then covers benefits Broadridge realized by moving to AWS, including faster deployments, usage-based pricing, and automated key rotation.

Service fabric and azure service fabric mesh

Mikkel Mørk Hegnhøj

Service Fabric is an open-source distributed systems platform from Microsoft for packaging, deploying and managing distributed applications and services at scale. Azure Service Fabric Mesh is a new fully-managed platform that allows developing and running microservices applications without having to manage infrastructure. Key features of Service Fabric Mesh include serverless infrastructure, lifecycle management, intelligent traffic routing, and health monitoring. It allows building applications using any programming language or framework that can run in containers.

Creating your Hybrid Cloud with AWS -Technical 201

Amazon Web Services

During the session we will describe common methods used to create a Hybrid Cloud with AWS. We step through successful operational models, how to get started, and tools to simplify operations. We will explore topics such as networking, directories, DNS, and security. Importantly, we will cover ongoing operational and management practices. Speaker: Phil Barlow, Solutions Architect, Amazon Web Services Featured Customer - AMP

Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...

Amazon Web Services

In IT environments, identity is the key to governance and security. In this session, we discuss the challenges with identity in hybrid environments and some of the solutions. Topics include identity lifecycle management, single sign-on, multi-factor authentication, and dealing with multiple identity providers from different parties. We also cover the security requirements of a hybrid cloud environment: maintaining visbility, encryption, secure remote access, and compliance and auditing requirements.

Similar to Securing AWS Accounts with Hashi Vault (20)

Securing Your CI Pipeline with HashiCorp Vault - P2

Security in the cloud Workshop HSTC 2014

Demistifying serverless on aws

Five Tips for Running Cloudera on AWS

Hadoop security @ Philly Hadoop Meetup May 2015

AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...

Getting Started With AWS Security

Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation

Secure Content Delivery Using Amazon CloudFront and AWS WAF

MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...

Intelligent serverless-streaming-pipeline-using-kinesis-fargate-cfn

Vault Open Source vs Enterprise v2

Secure Configuration and Automation Overview

Benefits of Cloud Computing

Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...

AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge

Service fabric and azure service fabric mesh

Creating your Hybrid Cloud with AWS -Technical 201

Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...

Recently uploaded

How Can Hiring A Mobile App Development Company Help Your Business Grow?

ToXSL Technologies

YAML crash COURSE how to write yaml file for adding configuring details

NishanthaBulumulla1

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

kalichargn70th171

UI5con 2024 - Bring Your Own Design System

Peter Muessig

How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.

在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样

mz5nrf0n

原版一模一样【微信：741003700 】【加拿大英属哥伦比亚大学毕业证本科学位证书】【微信：741003700 】学位证，留信认证（真实可查，永久存档）offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700 留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样

gapen1

原版定制【微信:bwp0011】《(hull学位证书)英国赫尔大学毕业证硕士文凭》【微信:bwp0011】成绩单、雅思、外壳、留信学历认证永久存档查询，采用学校原版纸张、特殊工艺完全按照原版一比一制作（包括：隐形水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠，文字图案浮雕，激光镭射，紫外荧光，温感，复印防伪）行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备，十五年致力于帮助留学生解决难题，业务范围有加拿大、英国、澳洲、韩国、美国、新加坡，新西兰等学历材料，包您满意。【业务选择办理准则】一、工作未确定，回国需先给父母、亲戚朋友看下文凭的情况，办理一份就读学校的毕业证【微信bwp0011】文凭即可二、回国进私企、外企、自己做生意的情况，这些单位是不查询毕业证真伪的，而且国内没有渠道去查询国外文凭的真假，也不需要提供真实教育部认证。鉴于此，办理一份毕业证【微信bwp0011】即可三、进国企，银行，事业单位，考公务员等等，这些单位是必需要提供真实教育部认证的，办理教育部认证所需资料众多且烦琐，所有材料您都必须提供原件，我们凭借丰富的经验，快捷的绿色通道帮您快速整合材料，让您少走弯路。留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才【关于价格问题（保证一手价格）】我们所定的价格是非常合理的，而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子我给客户的都是第一手的代理价格，因为我想坦诚对待大家不想跟大家在价格方面浪费时间对于老客户或者被老客户介绍过来的朋友，我们都会适当给一些优惠。

J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...

Bert Jan Schrijver

Malibou Pitch Deck For Its €3M Seed Round

sjcobrien

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

Fundamentals of Programming and Language Processors

Rakesh Kumar R

The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...

kalichargn70th171

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

Quickdice ERP

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

mz5nrf0n

原版一模一样【微信：741003700 】【美国纽约州立大学奥尔巴尼分校毕业证学位证书】【微信：741003700 】学位证，留信认证（真实可查，永久存档）offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700 留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才

Unveiling the Advantages of Agile Software Development.pdf

brainerhub1

一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理

dakas1

UMN硕士毕业证成绩单【微信95270640】购买（明尼苏达大学毕业证成绩单硕士学历）Q微信95270640代办UMN学历认证留信网伪造明尼苏达大学学位证书精仿明尼苏达大学本科/硕士文凭证书补办明尼苏达大学 diplomaoffer,Transcript购买明尼苏达大学毕业证成绩单购买UMN假毕业证学位证书购买伪造明尼苏达大学文凭证书学位证书,专业办理雅思、托福成绩单，学生ID卡，在读证明，海外各大学offer录取通知书，毕业证书，成绩单，文凭等材料:1:1完美还原毕业证、offer录取通知书、学生卡等各种在读或毕业材料的防伪工艺（包括烫金、烫银、钢印、底纹、凹凸版、水印、防伪光标、热敏防伪、文字图案浮雕，激光镭射，紫外荧光，温感光标）学校原版上有的工艺我们一样不会少，不论是老版本还是最新版本，都能保证最高程度还原，力争完美以求让所有同学都能享受到完美的品质服务。 #毕业证成绩单 #毕业証 #成绩单 #學生卡 #OFFER录取通知书 #雅思#托福等…… 国外大学明尼苏达大学明尼苏达大学毕业证offer制作方法（一对一专业服务） 1客户提供办理信息：姓名生日专业学位毕业时间等（如信息不确定可以咨询顾问：我们有专业老师帮你查询）； 2开始安排制作毕业证成绩单电子图； 3毕业证成绩单电子版做好以后发送给您确认； 4毕业证成绩单电子版您确认信息无误之后安排制作成品； 5成品做好拍照或者视频给您确认； 6快递给客户（国内顺丰国外DHLUPS等快读邮寄） — — 制作工艺【高仿真】— — 凭借多年的制作经验本公司制作明尼苏达大学明尼苏达大学毕业证offer《激光》《水印》《钢印》《烫金》《紫外线》凹凸版uv版等防伪技术一流高精仿度几乎跟学校100%相同！让您绝对满意。 — — -公司理念【诚信为主】— — — 我們以質量求生存.以服务求发展有雄厚的实力专业的团队咨询顾问为您细心解答可详谈是真是假眼见为实让您真正放心平凡人生,尽我所能助您一臂之力让我們携手圆您梦想! 此贴长年有效【贴心专线/微-信: 95270640】敬请保留此联系方式以备用！如有不在线请给我们留言！我们将在第一时间给您回复!上散发着一抹抹的光晕而这每处自然形成的细节融合在一起浑然天成的美实在令人心生愉悦小道的周边无秩序的生长着几株艳丽的野花红的粉的紫的虽混乱无章却给这幅美景更增添一份性感夹杂着一份纯洁的妖娆毫无违和感实在给人带来一份悠然幸福的心情如果说现在的审美已经断然拒绝了无声的话那么在树林间飞掠而过的小鸟叽叽咋咋的叫声是否就是这最后的点睛之笔悠然走在林间的小路上宁静与清香一丝丝的盛夏气息吸入身体昔日生活里的繁忙多

Measures in SQL (SIGMOD 2024, Santiago, Chile)

Julian Hyde

SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries. SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL. To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context. A talk at SIGMOD, June 9–15, 2024, Santiago, Chile Authors: Julian Hyde (Google) and John Fremlin (Google) https://doi.org/10.1145/3626246.3653374

E-commerce Development Services- Hornet Dynamics

Hornet Dynamics

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...

XfilesPro

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

Peter Muessig

Recently uploaded (20)

How Can Hiring A Mobile App Development Company Help Your Business Grow?

YAML crash COURSE how to write yaml file for adding configuring details

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

UI5con 2024 - Bring Your Own Design System

在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样

J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...

Malibou Pitch Deck For Its €3M Seed Round

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

Fundamentals of Programming and Language Processors

The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

Unveiling the Advantages of Agile Software Development.pdf

一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理

Measures in SQL (SIGMOD 2024, Santiago, Chile)

E-commerce Development Services- Hornet Dynamics

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

Securing AWS Accounts with Hashi Vault

1. Securing AWS Accounts with HashiCorp Vault Shrivatsa Upadhye Cloud Developer Advocate (VMware) Feb 2020

2. 2 whoami (Who am I?) • Cloud Developer Advocate @VMWare • Focused on Public Cloud and Application security • Part of CloudJourneyIO team • Love Cars, Pizza and Netflix Follow me on Twitter/Medium/GitHub/LinkedIn : @ishrivatsa

3. 3 Agenda • Problem Statement • Why do we need Secrets Management? • Overview - HashiCorp Vault • What are Dynamic Secrets? • Demo

4. 4 Problem Statement Access and Secret keys are used in dev and prod environments for deploying applications Restricting privileged access to cloud services is crucial Revoke the access and secret keys when not used or compromised Allow usage of credentials only for limited time Audit and log the usage of credential access Maintaining consistent user experience for managing secrets lifecycle across different environment

5. 5 Why do we need Secrets Management ? • 1. Adoption of Microservices architecture means that these services would communicate with each other and external services by using API keys and other secrets (database passwords), etc • 2. Hardcoding of secrets within an application is NOT a good practice as there is the risk of these secrets being exposed on git repositories. • 3. Hackers usually tend to exploit unencrypted secrets and keys. This is one of the main reasons for data breaches. • 4. Teams working in shared public cloud environments, need strict access controls on who can access what portion of the infrastructure. This will allow for centralized secrets management.

6. 6 Hashi Vault SELF HOSTED AND OPERATED FREEMIUM MODEL – OPENSOURCE AND ENTERPRISE VERSION AVAILABLE ENCRYPTED SECRETS LIFECYCLE MANAGEMENT OF SECRETS – STORE, ROTATE, REVOKE, EXPIRE IDENTITY BASED ACCESS TO SECRETS SUPPORTS POLICIES TO DEFINE PERMISSIONS FOR USERS/SYSTEMS CLOUD AGNOSTIC – WORKS WITH AWS, AZURE AND GOOGLE CLOUD

7. 7 AWS Secrets Manager HashiCorp Vault Fully Managed Self Hosted and Operated Service Seamless secrets rotation for native services like RDS, RedShift and DocumentDB (Might need Lambda for some key rotation) Secrets Rotation must be done with scripts No lease periods for secrets Duration can be set for how long the access to secrets are allowed Coupled to AWS ecosystem Cloud Agnostic i.e. Works with AWS, Azure, and GCP Limited (MariaDB, MySQL, Postgres) or no native integration with Mongo and Kubernetes Integrations for various opensource and licensed databases like Influx, Mongo, Hana as well as Kubernetes secrets Paid service - Charged for API calls as well as storage for every secret Freemium model - They have an Opensource version as well as Enterprise version AWS Secrets Manager vs Hashi Vault

8. 8 Dynamic Secrets • Dynamic secrets, on the other hand, are not stored until the user or client initiates a read or GET call. • Why dynamic secrets ? • Leaky Applications - Dynamic secrets minimize the impact of leaky applications by ensuring credentials are ephemeral. • Audit Trail - Unique credentials per client makes it much easier to do forensics and understand the source of compromise. • Key Rotation - By attaching a lease to secrets and enforcing a maximum time to live, secrets are being automatically rotated. • Revocation - This makes it possible to revoke specific leases in the case of a compromise. Unique credentials limits the blast radius of a revocation, preventing full-service outages

9. 9 Demo

10. 10 Summary • Rotate keys often • Leverage Dynamic Secrets • Set vault policies to restrict access to credentials • Use OAuth integration to improve user experience

11. 11 Thank You @iShrivatsa

Securing AWS Accounts with Hashi Vault

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing AWS Accounts with Hashi Vault

Similar to Securing AWS Accounts with Hashi Vault (20)

Recently uploaded

Recently uploaded (20)

Securing AWS Accounts with Hashi Vault