SlideShare a Scribd company logo

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault

Outlyer
Outlyer

A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly. Watch YouTube video here: http://bit.ly/25ytNAD Join DevOps Exchange London Meetup: http://bit.ly/22y4Var Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ

Engineering
1 of 22
Securing your AWS Infrastructure with Hashicorp Vault @njsaunders neil@beamly.com
Contents • A review of AWS security concepts • Leaks at Beamly • An Introduction to Hashicorp Vault • How we use use Vault at Beamly
AWS Credentials Come in pairs: AWS Access Key ID (20 characters, uppercase alphanumeric) AWS Secret Key (Exactly 40 characters, mixed case alphanumeric with symbols) access_key AKIAJ6QZIDJJPHWZ4STA secret_key 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 Ultimately map to one or more “IAM policies” - JSON document that describes what AWS services you can interact with and at what level
Sources of Keys • AWS Root Key – Delete Immediately! • IAM Roles – Assigned to machines on boot – Credentials dynamically generated and automatically rotated (Managed by AWS Client Libraries). As secure as it gets. • IAM Users – Assigned static keys – Used by entities outside of AWS (External services, developers)
Leak 1 Australia DC
Response • Killed the AWS Root key permanently • Created IAM Roles for services • Everyone ran around redeploying old services to use IAM • Created IAM groups with restricted access (platform, engineering, finance) • Set up individual IAM account for every engineer • Put each user in an IAM group
Leak 2
Hashicorp Vault: Introduction • A tool to securely store secrets – Passwords – API Keys – Anything you want to tightly control access to • Secrets are encrypted at rest and in transit • HTTP API • Uses pluggable back ends for storage/authentication/auditing
Hashicorp Vault: Storage Backends • Vault supports writing encrypted data to a variety of persistence tiers: – etcd – zookeeper – dynamodb – s3 – mysql – PostgreSQL – Memory – Filesystem – consul • Beamly use Consul
Hashicorp Vault: Authentication Backends • Before you can read data from Vault you need to authenticate • Vault provides a variety of authentication backends: – Username and password – Github – TLS Certificates – LDAP • Beamly use LDAP
Hashicorp Vault: Secrets Backends • In addition to storing static secrets, supports dynamically generating credentials on read – AWS – Cassandra – PostgreSQL – MySQL – MSSQL – PKI – X509 Certificates • Currently Beamly only use the AWS backend
Hashicorp Vault: Policies Control what secrets a vault authenticated user can access path "aws/creds/engineering" { policy = "read" } path "auth/token/lookup-self" { policy = "read" } vault write auth/ldap/groups/engineering policies=engineering Success! Data written to: auth/ldap/groups/engineering vault policy-write engineering vault-acl-engineering.json
Hashicorp Vault: Beamly Setup
Authenticate me (Username, password) Valid? Yes, and member X & Y Vault authentication token Vault authentication token Give me an AWS key & secret (Token) Create IAM user with permissions for X & Y IAM tokens for a new user with X & Y AWS Key & Secret Key with permissions for X & Y Delete user Delete user Token/IAM username
Making it usable for developers • Beamly have a homebrew tap to distribute scripts • brew install platform-tools • Brew formula dependency on Vault • “awsauth” shell script – Reads the uid – Prompts the user for their LDAP password – Authenticates against vault using the uid:password combo – Parses the output and reads the authentication token – Calls Vault to read the AWS secrets backend for the “engineering” policy (By default) using the authentication token previously generated – Sets all combination of environment variables – Writes all popular AWS client files (Boto, aws-cli) – Valid for 1 hour
Summary • Humans fail: Design for it • Make that philosophy public • Secrets should exist for the least amount of time possible • Vault is a well thought out, well documented, flexible tool
Questions? @njsaunders neil@beamly.com awsauth gist: http://bit.ly/1UAMYFG
LONDON Drury House 34-43 Russell Street London WC2B 5HA NEW YORK CITY 84 Wooster Street Suite 703 New York NY 10012 © Beamly 2014. All Rights Reserved.

Recommended

Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Vault
VaultVault
Vault
dawnlua
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 

Recommended

Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Vault
VaultVault
Vault
dawnlua
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Amazon Web Services
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Podman Overview and internals.pdf
Podman Overview and internals.pdfPodman Overview and internals.pdf
Podman Overview and internals.pdf
Saim Safder
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
Amazon Web Services
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
Amazon Web Services
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Secrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes PodsSecrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes Pods
Satish Devarapalli
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
Nikhil Sahoo
 

More Related Content

What's hot

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Podman Overview and internals.pdf
Podman Overview and internals.pdfPodman Overview and internals.pdf
Podman Overview and internals.pdf
Saim Safder
 

What's hot (20)

Vault
VaultVault
Vault
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Podman Overview and internals.pdf
Podman Overview and internals.pdfPodman Overview and internals.pdf
Podman Overview and internals.pdf
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
 
Container Security
Container SecurityContainer Security
Container Security
 
Secrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes PodsSecrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes Pods
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 

Similar to Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault

AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 

Similar to Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault (20)

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWS
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013
 
AWS Security
AWS SecurityAWS Security
AWS Security
 
AWS Architecture Flaws
AWS Architecture FlawsAWS Architecture Flaws
AWS Architecture Flaws
 
Migrating to aws
Migrating to awsMigrating to aws
Migrating to aws
 
Building and scaling your containerized microservices on Amazon ECS
Building and scaling your containerized microservices on Amazon ECSBuilding and scaling your containerized microservices on Amazon ECS
Building and scaling your containerized microservices on Amazon ECS
 
Protecting your data in AWS
Protecting your data in AWS Protecting your data in AWS
Protecting your data in AWS
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 

More from Outlyer

Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
Outlyer
 
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDutyAnatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
Outlyer
 

More from Outlyer (20)

Murat Karslioglu, VP Solutions @ OpenEBS - Containerized storage for containe...
Murat Karslioglu, VP Solutions @ OpenEBS - Containerized storage for containe...Murat Karslioglu, VP Solutions @ OpenEBS - Containerized storage for containe...
Murat Karslioglu, VP Solutions @ OpenEBS - Containerized storage for containe...
 
How & When to Feature Flag
How & When to Feature FlagHow & When to Feature Flag
How & When to Feature Flag
 
Why You Need to Stop Using "The" Staging Server
Why You Need to Stop Using "The" Staging ServerWhy You Need to Stop Using "The" Staging Server
Why You Need to Stop Using "The" Staging Server
 
How GitHub combined with CI empowers rapid product delivery at Credit Karma
How GitHub combined with CI empowers rapid product delivery at Credit Karma How GitHub combined with CI empowers rapid product delivery at Credit Karma
How GitHub combined with CI empowers rapid product delivery at Credit Karma
 
Packaging Services with Nix
Packaging Services with NixPackaging Services with Nix
Packaging Services with Nix
 
Minimum Viable Docker: our journey towards orchestration
Minimum Viable Docker: our journey towards orchestrationMinimum Viable Docker: our journey towards orchestration
Minimum Viable Docker: our journey towards orchestration
 
Ops is dead. long live ops.
Ops is dead. long live ops.Ops is dead. long live ops.
Ops is dead. long live ops.
 
The service mesh: resilient communication for microservice applications
The service mesh: resilient communication for microservice applicationsThe service mesh: resilient communication for microservice applications
The service mesh: resilient communication for microservice applications
 
Microservices: Why We Did It (and should you?)
Microservices: Why We Did It (and should you?) Microservices: Why We Did It (and should you?)
Microservices: Why We Did It (and should you?)
 
Renan Dias: Using Alexa to deploy applications to Kubernetes
Renan Dias: Using Alexa to deploy applications to KubernetesRenan Dias: Using Alexa to deploy applications to Kubernetes
Renan Dias: Using Alexa to deploy applications to Kubernetes
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution
 
How to build a container monitoring solution - David Gildeh, CEO and Co-Found...
How to build a container monitoring solution - David Gildeh, CEO and Co-Found...How to build a container monitoring solution - David Gildeh, CEO and Co-Found...
How to build a container monitoring solution - David Gildeh, CEO and Co-Found...
 
Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
Heresy in the church of - Corey Quinn, Principal at The Quinn Advisory Group
 
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDutyAnatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
Anatomy of a real-life incident -Alex Solomon, CTO and Co-Founder of PagerDuty
 
A Holistic View of Operational Capabilities—Roy Rapoport, Insight Engineering...
A Holistic View of Operational Capabilities—Roy Rapoport, Insight Engineering...A Holistic View of Operational Capabilities—Roy Rapoport, Insight Engineering...
A Holistic View of Operational Capabilities—Roy Rapoport, Insight Engineering...
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
 
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
 
Zero Downtime Postgres Upgrades
Zero Downtime Postgres UpgradesZero Downtime Postgres Upgrades
Zero Downtime Postgres Upgrades
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2
 
DOXLON November 2016 - ELK Stack and Beats
DOXLON November 2016 - ELK Stack and Beats DOXLON November 2016 - ELK Stack and Beats
DOXLON November 2016 - ELK Stack and Beats
 

Recently uploaded

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 

Recently uploaded (20)

Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault

  • 1. Securing your AWS Infrastructure with Hashicorp Vault @njsaunders neil@beamly.com
  • 2. Contents • A review of AWS security concepts • Leaks at Beamly • An Introduction to Hashicorp Vault • How we use use Vault at Beamly
  • 3. AWS Credentials Come in pairs: AWS Access Key ID (20 characters, uppercase alphanumeric) AWS Secret Key (Exactly 40 characters, mixed case alphanumeric with symbols) access_key AKIAJ6QZIDJJPHWZ4STA secret_key 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 Ultimately map to one or more “IAM policies” - JSON document that describes what AWS services you can interact with and at what level
  • 4. Sources of Keys • AWS Root Key – Delete Immediately! • IAM Roles – Assigned to machines on boot – Credentials dynamically generated and automatically rotated (Managed by AWS Client Libraries). As secure as it gets. • IAM Users – Assigned static keys – Used by entities outside of AWS (External services, developers)
  • 6.
  • 7. Response • Killed the AWS Root key permanently • Created IAM Roles for services • Everyone ran around redeploying old services to use IAM • Created IAM groups with restricted access (platform, engineering, finance) • Set up individual IAM account for every engineer • Put each user in an IAM group
  • 9.
  • 10. Hashicorp Vault: Introduction • A tool to securely store secrets – Passwords – API Keys – Anything you want to tightly control access to • Secrets are encrypted at rest and in transit • HTTP API • Uses pluggable back ends for storage/authentication/auditing
  • 11. Hashicorp Vault: Storage Backends • Vault supports writing encrypted data to a variety of persistence tiers: – etcd – zookeeper – dynamodb – s3 – mysql – PostgreSQL – Memory – Filesystem – consul • Beamly use Consul
  • 12. Hashicorp Vault: Authentication Backends • Before you can read data from Vault you need to authenticate • Vault provides a variety of authentication backends: – Username and password – Github – TLS Certificates – LDAP • Beamly use LDAP
  • 13. Hashicorp Vault: Secrets Backends • In addition to storing static secrets, supports dynamically generating credentials on read – AWS – Cassandra – PostgreSQL – MySQL – MSSQL – PKI – X509 Certificates • Currently Beamly only use the AWS backend
  • 14. Hashicorp Vault: Policies Control what secrets a vault authenticated user can access path "aws/creds/engineering" { policy = "read" } path "auth/token/lookup-self" { policy = "read" } vault write auth/ldap/groups/engineering policies=engineering Success! Data written to: auth/ldap/groups/engineering vault policy-write engineering vault-acl-engineering.json
  • 16. Authenticate me (Username, password) Valid? Yes, and member X & Y Vault authentication token Vault authentication token Give me an AWS key & secret (Token) Create IAM user with permissions for X & Y IAM tokens for a new user with X & Y AWS Key & Secret Key with permissions for X & Y Delete user Delete user Token/IAM username
  • 17. Making it usable for developers • Beamly have a homebrew tap to distribute scripts • brew install platform-tools • Brew formula dependency on Vault • “awsauth” shell script – Reads the uid – Prompts the user for their LDAP password – Authenticates against vault using the uid:password combo – Parses the output and reads the authentication token – Calls Vault to read the AWS secrets backend for the “engineering” policy (By default) using the authentication token previously generated – Sets all combination of environment variables – Writes all popular AWS client files (Boto, aws-cli) – Valid for 1 hour
  • 18.
  • 19.
  • 20. Summary • Humans fail: Design for it • Make that philosophy public • Secrets should exist for the least amount of time possible • Vault is a well thought out, well documented, flexible tool
  • 22. LONDON Drury House 34-43 Russell Street London WC2B 5HA NEW YORK CITY 84 Wooster Street Suite 703 New York NY 10012 © Beamly 2014. All Rights Reserved.