SlideShare a Scribd company logo
Securing Databases with
Dynamic Credentials and
HashiCorp’s Vault
PGDay.Seoul 2019
FB/hyeongchae.lee
1PGDay.Seoul 2019
Temporary Security Credentials
• shell script 또는 config 안에 username, password 필요한 경우
• 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우
• 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우
• GDPR 처럼 보안규정상 password expired 가 필요한 경우
PGDay.Seoul 2019 2
Ansible : ssh delima
PGDay.Seoul 2019 3
HashiCorp
4PGDay.Seoul 2019
HashiCorp’s Vault 란?
5PGDay.Seoul 2019
Vault’s Policies
6PGDay.Seoul 2019
Vault’s Polcies
path “postgresql/creds/readonly” {
capabilities = ["create", "read", "update", "delete", "list"]
}
root@pgsql12:/# ls -la /var/lib/postgresql/data/
drwx------ 19 postgres postgres 4096 Dec 2 02:45 .
drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 ..
drwx------ 6 postgres postgres 4096 Dec 2 05:19 base
drwx------ 2 postgres postgres 4096 Dec 2 06:58 global
-rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf
PGDay.Seoul 2019 7
HashiCorp’s Vault
8PGDay.Seoul 2019
Vault’s Token
$ vault read postgresql/creds/readonly
Key Value
--- -----
lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq
lease_duration 1h
lease_renewable true
password ee1a06db-9d28-2e74-41fc-c97a8d137dd8
username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa
PGDay.Seoul 2019 9
Dynamically Securing Databases using Vault
10PGDay.Seoul 2019
Security Team
Define secret
policies
PostgreSQL
APPs
username : root
password : password
Rotate the root
credentials
username : root
password : newpassword
Create DB credentials
username : token-a6c161c…
password : ee1a06db-9d…
App gets unique set of DB
Credentials to connect
Read / Write from DB
1
1
2
2
3
4
PotgreSQL Secrets Engine
$ export VAULT_ADDR="http://127.0.0.1:8200"
$ export VAULT_TOKEN="vault"
$ vault secrets enable postgresql
# dba admin / superuser
$ vault write postgresql/config/connection 
connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable"
# create user and role
$ vault write postgresql/roles/readonly 
sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
# get credential
$ vault read postgresql/creds/readonly
PGDay.Seoul 2019 11
2
1
1
2
3
no policies
get token
connect
create credential
get credential
승인 워크플로우 (Approval Workflow)
12PGDay.Seoul 2019
1 2
3
4
5
Developer
Dev Manager
“You’re fired”
DevOps
Update
/request_pgsql_access
Auth / Role
액세스 워크플로우 ( Access Workflow )
13PGDay.Seoul 2019
Developer
SQLGate / flyway
psql client /
Token CLI / HTTP API
15
2
3
4
6
Auth / Role
Personal
Identification
https://github.com/sql2/PostgreSQL_with_Dynamic_Credentials
PGDay.Seoul 2019 14
PGDay.Seoul 2019 15

More Related Content

What's hot

Discover MongoDB - Israel
Discover MongoDB - IsraelDiscover MongoDB - Israel
Discover MongoDB - Israel
Michael Fiedler
 
JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)
Carsten Ziegeler
 
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Grand Parade Poland
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
Elasticsearch und die Java-Welt
Elasticsearch und die Java-WeltElasticsearch und die Java-Welt
Elasticsearch und die Java-Welt
Florian Hopf
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to Sharding
MongoDB
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
PhpRain- Build better web
PhpRain- Build better webPhpRain- Build better web
PhpRain- Build better web
Rk King
 
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachLiving with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Jeremy Zawodny
 

What's hot (10)

Discover MongoDB - Israel
Discover MongoDB - IsraelDiscover MongoDB - Israel
Discover MongoDB - Israel
 
JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)JCR In Action (ApacheCon EU 2008)
JCR In Action (ApacheCon EU 2008)
 
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
Mateusz Gruszczynski - Performance tests in Gatling (Quality Questions Confer...
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 
Elasticsearch und die Java-Welt
Elasticsearch und die Java-WeltElasticsearch und die Java-Welt
Elasticsearch und die Java-Welt
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Back to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to ShardingBack to Basics 2017: Introduction to Sharding
Back to Basics 2017: Introduction to Sharding
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
PhpRain- Build better web
PhpRain- Build better webPhpRain- Build better web
PhpRain- Build better web
 
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic ApproachLiving with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
 

Similar to Securing Databases with Dynamic Credentials and HashiCorp’s Vault

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
Secure second days operations with Boundary and Vault.pdf
Secure second days operations with Boundary and Vault.pdfSecure second days operations with Boundary and Vault.pdf
Secure second days operations with Boundary and Vault.pdf
Bram Vogelaar
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
Joe Stein
 
21 05-2018
21 05-201821 05-2018
21 05-2018
Praaveen Vr
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
Jonathan Katz
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Redis深入浅出
Redis深入浅出Redis深入浅出
Redis深入浅出
ruoyi ruan
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
BalaBit
 
Video Analysis in Hadoop
Video Analysis in HadoopVideo Analysis in Hadoop
Video Analysis in Hadoop
DataWorks Summit
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
Oracle Korea
 
Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015
Florian Hopf
 

Similar to Securing Databases with Dynamic Credentials and HashiCorp’s Vault (20)

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
Secure second days operations with Boundary and Vault.pdf
Secure second days operations with Boundary and Vault.pdfSecure second days operations with Boundary and Vault.pdf
Secure second days operations with Boundary and Vault.pdf
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Redis深入浅出
Redis深入浅出Redis深入浅出
Redis深入浅出
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
 
Video Analysis in Hadoop
Video Analysis in HadoopVideo Analysis in Hadoop
Video Analysis in Hadoop
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
 
Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015Anwendungsfälle für Elasticsearch JAX 2015
Anwendungsfälle für Elasticsearch JAX 2015
 

More from hyeongchae lee

patroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deploymentpatroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deployment
hyeongchae lee
 
[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features
hyeongchae lee
 
[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa
hyeongchae lee
 
OCP with super tengen toppa
OCP with super tengen toppaOCP with super tengen toppa
OCP with super tengen toppa
hyeongchae lee
 
PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회
hyeongchae lee
 
PGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalkPGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalk
hyeongchae lee
 
20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db
hyeongchae lee
 
osscon_mysql_redis_plugin
osscon_mysql_redis_pluginosscon_mysql_redis_plugin
osscon_mysql_redis_plugin
hyeongchae lee
 
Oracle2DBMS Notes and Comments
Oracle2DBMS Notes and CommentsOracle2DBMS Notes and Comments
Oracle2DBMS Notes and Comments
hyeongchae lee
 
NewSQL
NewSQLNewSQL
eXtremeDB FE
eXtremeDB FEeXtremeDB FE
eXtremeDB FE
hyeongchae lee
 
in-memory database system and low latency
in-memory database system and low latencyin-memory database system and low latency
in-memory database system and low latency
hyeongchae lee
 

More from hyeongchae lee (12)

patroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deploymentpatroni-based citrus high availability environment deployment
patroni-based citrus high availability environment deployment
 
[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features[PGDay.Seoul 2020] PostgreSQL 13 New Features
[PGDay.Seoul 2020] PostgreSQL 13 New Features
 
[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa[HashiTalk Korea] OCP with Super Tengen Toppa
[HashiTalk Korea] OCP with Super Tengen Toppa
 
OCP with super tengen toppa
OCP with super tengen toppaOCP with super tengen toppa
OCP with super tengen toppa
 
PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회PostgreSQL 정기 기술 세미나 22회
PostgreSQL 정기 기술 세미나 22회
 
PGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalkPGDay.Seoul 2016 lightingtalk
PGDay.Seoul 2016 lightingtalk
 
20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db20141206 4 q14_dataconference_i_am_your_db
20141206 4 q14_dataconference_i_am_your_db
 
osscon_mysql_redis_plugin
osscon_mysql_redis_pluginosscon_mysql_redis_plugin
osscon_mysql_redis_plugin
 
Oracle2DBMS Notes and Comments
Oracle2DBMS Notes and CommentsOracle2DBMS Notes and Comments
Oracle2DBMS Notes and Comments
 
NewSQL
NewSQLNewSQL
NewSQL
 
eXtremeDB FE
eXtremeDB FEeXtremeDB FE
eXtremeDB FE
 
in-memory database system and low latency
in-memory database system and low latencyin-memory database system and low latency
in-memory database system and low latency
 

Recently uploaded

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (12)

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

Securing Databases with Dynamic Credentials and HashiCorp’s Vault

  • 1. Securing Databases with Dynamic Credentials and HashiCorp’s Vault PGDay.Seoul 2019 FB/hyeongchae.lee 1PGDay.Seoul 2019
  • 2. Temporary Security Credentials • shell script 또는 config 안에 username, password 필요한 경우 • 개발팀에서 운영 DB서버에 접속하여 몇가지 확인하고 싶을 경우 • 단발성 계정 생성 및 삭제가 빈번하게 일어날 경우 • GDPR 처럼 보안규정상 password expired 가 필요한 경우 PGDay.Seoul 2019 2
  • 3. Ansible : ssh delima PGDay.Seoul 2019 3
  • 7. Vault’s Polcies path “postgresql/creds/readonly” { capabilities = ["create", "read", "update", "delete", "list"] } root@pgsql12:/# ls -la /var/lib/postgresql/data/ drwx------ 19 postgres postgres 4096 Dec 2 02:45 . drwxr-xr-x 1 postgres postgres 4096 Nov 23 08:10 .. drwx------ 6 postgres postgres 4096 Dec 2 05:19 base drwx------ 2 postgres postgres 4096 Dec 2 06:58 global -rw------- 1 postgres postgres 4535 Dec 2 02:45 pg_hba.conf PGDay.Seoul 2019 7
  • 9. Vault’s Token $ vault read postgresql/creds/readonly Key Value --- ----- lease_id postgresql/creds/readonly/Dw35ApjCjE3x4WolwcD4GTgq lease_duration 1h lease_renewable true password ee1a06db-9d28-2e74-41fc-c97a8d137dd8 username token-a6c161c7-dbee-b2b1-4ede-7300ed4350fa PGDay.Seoul 2019 9
  • 10. Dynamically Securing Databases using Vault 10PGDay.Seoul 2019 Security Team Define secret policies PostgreSQL APPs username : root password : password Rotate the root credentials username : root password : newpassword Create DB credentials username : token-a6c161c… password : ee1a06db-9d… App gets unique set of DB Credentials to connect Read / Write from DB 1 1 2 2 3 4
  • 11. PotgreSQL Secrets Engine $ export VAULT_ADDR="http://127.0.0.1:8200" $ export VAULT_TOKEN="vault" $ vault secrets enable postgresql # dba admin / superuser $ vault write postgresql/config/connection connection_url="postgresql://root:root@172.16.100.1:5432/postgres?sslmode=disable" # create user and role $ vault write postgresql/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" # get credential $ vault read postgresql/creds/readonly PGDay.Seoul 2019 11 2 1 1 2 3 no policies get token connect create credential get credential
  • 12. 승인 워크플로우 (Approval Workflow) 12PGDay.Seoul 2019 1 2 3 4 5 Developer Dev Manager “You’re fired” DevOps Update /request_pgsql_access Auth / Role
  • 13. 액세스 워크플로우 ( Access Workflow ) 13PGDay.Seoul 2019 Developer SQLGate / flyway psql client / Token CLI / HTTP API 15 2 3 4 6 Auth / Role Personal Identification