SlideShare une entreprise Scribd logo

AWS Secrets Manager

Amazon Web Services
Amazon Web Services

For customers with hundreds or thousands of secrets, like database credentials and API keys, manually rotating and managing access to those secrets can be complex and cause application disruptions. AWS Secrets Manager protects access to your IT resources by enabling you to easily and centrally rotate and manage access to secrets. In this session, we explore the benefits and key features of Secrets Manager. We demonstrate how to safely rotate secrets, manage access to secrets with fine-grained access policies, and centrally secure and audit your secrets.

1  sur  31
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overview AWS Secrets Manager enables customers to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. • IT Admins: store and manage access to secrets securely and at scale • Security Admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications • Developers: avoid dealing with secrets in their applications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What do customers want to do? Use secrets within their applications to connect to databases, APIs, and other resources Rotate those secrets regularly Specify and control where, how, and by whom secrets are used
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What challenges are they facing? Existing solutions are complex to operate or too expensive Unreliable rotation processes result in outages Too many humans with unnecessary access to secrets
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager Lifecycle management for secrets such as database credentials and API keys. Rotate Secrets Safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features Rotate Secrets Safely Fine-grained access control • Built-in integrations for rotating MySQL, PostgreSQL, and Amazon Aurora on RDS • Extensible with Lambda • Use versioning so that applications don’t break when secrets are rotated • IAM policies • Tag-based access control and hierarchical names for scalability • Resource-based policies for cross-account access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features • Encrypted by default using encryption keys owned by the customer • Integrated with CloudTrail, CloudWatch. E.g., send a SNS notification when an administrator deletes a secret • No annual license or up front cost • $0.40 per secret per month (pro-rated based on the number of hours) • $0.05 per 10,000 API calls Pay as you go Secure, audit, and monitor
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparing AWS Systems Manager Parameter Store AWS Systems Manager Parameter Store AWS Secrets Manager • A service to store & retrieve configuration data, including secrets. • Build and schedule your own rotation using Lambda and other AWS services. • Free service most appropriate for customers without specific rotation requirements. • A service to manage the lifecycle for secrets in your organization. • Routinely, confidently, and automatically rotate secrets to help meet security and compliance requirements. • Underlying technology developed for managing secrets internally at Amazon. • Paid service for customers who derive value from reliable and safe rotation.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 1 Store and retrieve Secret
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration Recap • Load secret • Initial secret loaded into Secrets Manager for management. • Verify permissions and rotation configuration. • Retrieve secret • Application code retrieves authorized secrets from Secrets Manager. • Credentials and permissions provided by IAM role attached to EC2. • Rotate secret • On-demand rotation of secret initiated. • Secrets Manager rotates credential in backend resource. • New version of secret returned via Secrets Manager API calls.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical Use Cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – Use secret within application Connect to database from application code • DBA loads application specific database credentials into AWS Secrets Manager. • DevOps engineer deploys application with an attached AWS IAM role. • Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credentials, and connects to the database.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieve Secret AWS Resources Your Code EC2 Instance Other Resources AWS credentials via IAM roles DB creds loaded Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Custom) AWS Secrets Manager Your Code Custom Backend Resource (e.g. 3rd party API key) 1) Rotation event 2) Multi-step rotation (create, set, test, finish) 3) Operations per rotation strategy supported by backend Custom Lambda Rotator (You write) 4) New cred promoted to active 5) Secret retrieval 6) Connection using new credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 2 Manage and retrieve database credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – rotate secret Rotate database credentials used by application code without interruption • Secrets Manager creates a new credential with equivalent permissions. • The new credential is promoted and returned via subsequent Secrets Manager API calls. • Secrets Manager safely disables the original credential.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Integrated) AWS Secrets Manager Your Code Integrated Backend Resource 1) Rotation event 2) New credential creation initiated 3) New credential creation completed 4) New credential promoted to active 5) Secret retrieval gets new version 6) Connection using new credential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – control access, monitor, and audit secret Use the AWS eco-system to control access, monitor, and audit secrets • IAM policies for access control • Tag-based access control • Resource-based policies for access control
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Background: IAM Roles AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using IAM policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": "arn:aws:secretsmanager:us-east-2:476697075236:secret:My_Test_Secret/*" } ] }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using Tags { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:Describe*", "secretsmanager:GetSecretValue"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "secretsmanager:ResourceTag/<TAG_KEY>": "<TAG_VALUE>" } } } ] }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using resource-based policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::ACCOUNT_NUMBER:role/demo_role"}, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Condition": {"ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT"}} } ] } $aws secretsmanager put-resource-policy --secret-id MY_TEST_SECRET --resource-policy file://RESOURCE_POLICY.json
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At-rest • Secrets encrypted at rest using AWS Key Management Service (KMS). • Choose your desired Customer Master Key (CMK) or AWS managed default encryption key. Encryption In-transit • Secrets encrypted in transit using Transport Layer Security (TLS). • All API calls authenticated by SigV4 verification. All secrets protected at-rest and in-transit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit access – using AWS CloudTrail
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitor access – using Amazon CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integration With Parameter Store
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. As you get started… 1. No plaintext secrets 2. Unique secrets per region, per environment, per account 3. Rotate secrets regularly 4. Control permissions 5. Tags and hierarchical names to scale secrets management 6. Monitor and audit use; deprecate unused secrets 7. No charge for versions of a secret; no charge for using the default encryption key
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Use Cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced use cases – manage and rotate Twitter API key Step 1: Store a Twitter API key and bearer token in Secrets Manager. Step 2: Create a custom Lambda function to rotate the bearer token. Step 3: Configure your application to retrieve the bearer token from Secrets Manager. Step 4: Configure Secrets Manager to use the custom Lambda function to rotate the bearer token automatically. Detailed instructions available at: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and- bearer-token-automatically-with-aws-secrets-manager/

Recommandé

Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
Amazon Web Services
 

Recommandé

Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
Ricardo Schmidt
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Iam presentation
Iam presentationIam presentation
Iam presentation
AWS UG PK
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
CloudHesive
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
Jason Poley
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Amazon Web Services
 

Contenu connexe

Tendances

AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 

Tendances (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Iam presentation
Iam presentationIam presentation
Iam presentation
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 

Similaire à AWS Secrets Manager

Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
Amazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Amazon Web Services
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Amazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
Amazon Web Services
 

Similaire à AWS Secrets Manager (20)

Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
Cloud Adoption Framework: Security Perspective - CAF Data Protection in Trans...
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
HSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access ManagementHSBC and AWS Day - Security Identity and Access Management
HSBC and AWS Day - Security Identity and Access Management
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Introduction to Threat Detection and Remediation
Introduction to Threat Detection and RemediationIntroduction to Threat Detection and Remediation
Introduction to Threat Detection and Remediation
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
 
Introduction to AWS for Mobile Developers
Introduction to AWS for Mobile DevelopersIntroduction to AWS for Mobile Developers
Introduction to AWS for Mobile Developers
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Secrets Manager

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overview AWS Secrets Manager enables customers to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. • IT Admins: store and manage access to secrets securely and at scale • Security Admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications • Developers: avoid dealing with secrets in their applications
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What do customers want to do? Use secrets within their applications to connect to databases, APIs, and other resources Rotate those secrets regularly Specify and control where, how, and by whom secrets are used
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What challenges are they facing? Existing solutions are complex to operate or too expensive Unreliable rotation processes result in outages Too many humans with unnecessary access to secrets
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager Lifecycle management for secrets such as database credentials and API keys. Rotate Secrets Safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features Rotate Secrets Safely Fine-grained access control • Built-in integrations for rotating MySQL, PostgreSQL, and Amazon Aurora on RDS • Extensible with Lambda • Use versioning so that applications don’t break when secrets are rotated • IAM policies • Tag-based access control and hierarchical names for scalability • Resource-based policies for cross-account access
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features • Encrypted by default using encryption keys owned by the customer • Integrated with CloudTrail, CloudWatch. E.g., send a SNS notification when an administrator deletes a secret • No annual license or up front cost • $0.40 per secret per month (pro-rated based on the number of hours) • $0.05 per 10,000 API calls Pay as you go Secure, audit, and monitor
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparing AWS Systems Manager Parameter Store AWS Systems Manager Parameter Store AWS Secrets Manager • A service to store & retrieve configuration data, including secrets. • Build and schedule your own rotation using Lambda and other AWS services. • Free service most appropriate for customers without specific rotation requirements. • A service to manage the lifecycle for secrets in your organization. • Routinely, confidently, and automatically rotate secrets to help meet security and compliance requirements. • Underlying technology developed for managing secrets internally at Amazon. • Paid service for customers who derive value from reliable and safe rotation.
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 1 Store and retrieve Secret
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration Recap • Load secret • Initial secret loaded into Secrets Manager for management. • Verify permissions and rotation configuration. • Retrieve secret • Application code retrieves authorized secrets from Secrets Manager. • Credentials and permissions provided by IAM role attached to EC2. • Rotate secret • On-demand rotation of secret initiated. • Secrets Manager rotates credential in backend resource. • New version of secret returned via Secrets Manager API calls.
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical Use Cases
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – Use secret within application Connect to database from application code • DBA loads application specific database credentials into AWS Secrets Manager. • DevOps engineer deploys application with an attached AWS IAM role. • Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credentials, and connects to the database.
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieve Secret AWS Resources Your Code EC2 Instance Other Resources AWS credentials via IAM roles DB creds loaded Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Custom) AWS Secrets Manager Your Code Custom Backend Resource (e.g. 3rd party API key) 1) Rotation event 2) Multi-step rotation (create, set, test, finish) 3) Operations per rotation strategy supported by backend Custom Lambda Rotator (You write) 4) New cred promoted to active 5) Secret retrieval 6) Connection using new credential
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstration 2 Manage and retrieve database credential
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – rotate secret Rotate database credentials used by application code without interruption • Secrets Manager creates a new credential with equivalent permissions. • The new credential is promoted and returned via subsequent Secrets Manager API calls. • Secrets Manager safely disables the original credential.
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rotate Secret (Integrated) AWS Secrets Manager Your Code Integrated Backend Resource 1) Rotation event 2) New credential creation initiated 3) New credential creation completed 4) New credential promoted to active 5) Secret retrieval gets new version 6) Connection using new credential
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical use cases – control access, monitor, and audit secret Use the AWS eco-system to control access, monitor, and audit secrets • IAM policies for access control • Tag-based access control • Resource-based policies for access control
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Background: IAM Roles AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using IAM policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": "arn:aws:secretsmanager:us-east-2:476697075236:secret:My_Test_Secret/*" } ] }
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using Tags { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": ["secretsmanager:Describe*", "secretsmanager:GetSecretValue"], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "secretsmanager:ResourceTag/<TAG_KEY>": "<TAG_VALUE>" } } } ] }
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access control – using resource-based policies { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::ACCOUNT_NUMBER:role/demo_role"}, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Condition": {"ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT"}} } ] } $aws secretsmanager put-resource-policy --secret-id MY_TEST_SECRET --resource-policy file://RESOURCE_POLICY.json
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At-rest • Secrets encrypted at rest using AWS Key Management Service (KMS). • Choose your desired Customer Master Key (CMK) or AWS managed default encryption key. Encryption In-transit • Secrets encrypted in transit using Transport Layer Security (TLS). • All API calls authenticated by SigV4 verification. All secrets protected at-rest and in-transit
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Audit access – using AWS CloudTrail
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitor access – using Amazon CloudWatch
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integration With Parameter Store
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. As you get started… 1. No plaintext secrets 2. Unique secrets per region, per environment, per account 3. Rotate secrets regularly 4. Control permissions 5. Tags and hierarchical names to scale secrets management 6. Monitor and audit use; deprecate unused secrets 7. No charge for versions of a secret; no charge for using the default encryption key
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Use Cases
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced use cases – manage and rotate Twitter API key Step 1: Store a Twitter API key and bearer token in Secrets Manager. Step 2: Create a custom Lambda function to rotate the bearer token. Step 3: Configure your application to retrieve the bearer token from Secrets Manager. Step 4: Configure Secrets Manager to use the custom Lambda function to rotate the bearer token automatically. Detailed instructions available at: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and- bearer-token-automatically-with-aws-secrets-manager/