Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Introduction to AWS Secrets Manager

Amazon Web Services
Amazon Web Services

by Dave Dave McDermitt, Advisor – Global Security / Risk / Compliance, AWS Professional Services Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

1 of 24
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Introduction to AWS Secrets Manager Dave McDermitt, Advisor – Global Security / Risk / Compliance AWS Professional Services
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What is a secret? • Definition: Something that is meant to be kept unknown or unseen by others. • In our context we’ll limit our consideration of secrets to those related to securing information • Many different types: – Authenticators • Passwords • API keys – Encryption keys • Symmetric • Asymmetric – Etc…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But what is the most important aspect of a secret? • Definition: Something that is meant to by others. • The problem: – How do you keep something unknown or unseen if it has to be shared in order to be used? be kept unknown or unseen
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What are the challenges? Existing solutions are complex to operate or too expensive Unreliable rotation processes Too many humans with unnecessary access to secrets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What do you need to do? Connect to databases, APIs, and other resources, using the secrets that existing resources require. Rotate secrets regularly without breaking stuff. Maintain control and visibility over where, how, and by whom secrets are used.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Introducing AWS Secrets Manager Lifecycle management for secrets such as database credentials and API keys. Rotate Secrets Safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Key Features Safe rotation of secrets Built-in integrations, extensible with Lambda On-demand or automatic rotation with versioning Fine-grained access policies Encrypted storage Logging and monitoring
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Connect to database from application code • DBA loads application specific database credentials into AWS Secrets Manager. • DevOps engineer deploys application with an attached AWS IAM role. • Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credentials, and connects to the database.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Rotate database credentials used by application code without interruption • Secrets Manager creates a new credential with equivalent permissions. • The new credential is promoted and returned via subsequent Secrets Manager API calls. • Secrets Manager safely disables the original credential.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Store application secrets • Application authenticates user with Open ID Connect, and uses access token to make API calls on behalf of user. • Application stores OAuth refresh token in Secrets Manager. • When access token expires, the app retrieves refresh token and uses it to fetch a new access token.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Technical Deep Dive
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Background: IAM Roles AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Retrieve Secret AWS Resources Your Code Operating System EC2 Instance Authorized call toSecrets Manager Other Resources AWS credentials plumbed (as before) DB creds loaded DB creds returnedconnection established Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Rotate Secret (Integrated) AWS Secrets Manager Your Code Integrated Backend Resource 1) Rotation event 2) New credential creation initiated 3) New credential creation completed 4) New credential promoted to active 5) Secret retrieval gets new version 6) Connection using new credential
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine grained access controls Implement using IAM Policies • Specify permissions attached to IAM principals (roles, users, or groups). • Control secret management (e.g. rotation, metadata) and use (e.g. retrieval) independently. • Use secret id or tags to define fine grained access controls to collections of secrets or an individual secret. Controlling management and access to secrets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Encryption At-rest • Secrets encrypted at rest using AWS Key Management Service (KMS). • Choose your desired Customer Master Key (CMK) or AWS managed default encryption key. In-transit • Secrets encrypted in transit using Transport Layer Security (TLS). • All API calls authenticated by SigV4 verification. All secrets protected at-rest and in-transit
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Comparing AWS Systems Manager Parameter Store AWS Systems Manager Parameter Store AWS Secrets Manager • Secure storage for configuration data, which can include secrets. • Reference values using the unique name specified during creation. • Use parameters in scripts for configuration and automation. • A service to manage the lifecycle for secrets in your organization. • Helps you meet security and compliance requirements by rotating secrets automatically. • Built-in integrations for Amazon RDS that can rotate database credentials on your behalf. • Extensible via Lambda.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pricing & Availability
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pricing & Availability • Pay only for what you use. No minimum fee. • Two dimensions: storage and access. • Storage: $0.40 per month per secret • Access: $0.05 per 10,000 API calls (reads and writes) • Currently available in: • US East (N. Virginia & Ohio) US West (N. California & Oregon) • Asia Pacific (Mumbai, Seoul, Singapore, Sydney, Tokyo) • EU (Frankfurt, Ireland, London) • Canada (Central), South America (Sao Paulo)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Getting Started Setup • Grant permissions manage secrets to appropriate IAM roles, users, or groups (IAM Administrator action) Store Secret • Choose secret type • Choose encryption key • Select associated resource • Configure rotation • Provide initial value Retrieve Secret • Retrieve secret using CLI, API, or AWS Management Console
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Questions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Backups

More Related Content

Introduction to AWS Secrets Manager

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Introduction to AWS Secrets Manager Dave McDermitt, Advisor – Global Security / Risk / Compliance AWS Professional Services
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What is a secret? • Definition: Something that is meant to be kept unknown or unseen by others. • In our context we’ll limit our consideration of secrets to those related to securing information • Many different types: – Authenticators • Passwords • API keys – Encryption keys • Symmetric • Asymmetric – Etc…
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But what is the most important aspect of a secret? • Definition: Something that is meant to by others. • The problem: – How do you keep something unknown or unseen if it has to be shared in order to be used? be kept unknown or unseen
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What are the challenges? Existing solutions are complex to operate or too expensive Unreliable rotation processes Too many humans with unnecessary access to secrets
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What do you need to do? Connect to databases, APIs, and other resources, using the secrets that existing resources require. Rotate secrets regularly without breaking stuff. Maintain control and visibility over where, how, and by whom secrets are used.
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Introducing AWS Secrets Manager Lifecycle management for secrets such as database credentials and API keys. Rotate Secrets Safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Key Features Safe rotation of secrets Built-in integrations, extensible with Lambda On-demand or automatic rotation with versioning Fine-grained access policies Encrypted storage Logging and monitoring
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Connect to database from application code • DBA loads application specific database credentials into AWS Secrets Manager. • DevOps engineer deploys application with an attached AWS IAM role. • Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credentials, and connects to the database.
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Rotate database credentials used by application code without interruption • Secrets Manager creates a new credential with equivalent permissions. • The new credential is promoted and returned via subsequent Secrets Manager API calls. • Secrets Manager safely disables the original credential.
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Use Cases Store application secrets • Application authenticates user with Open ID Connect, and uses access token to make API calls on behalf of user. • Application stores OAuth refresh token in Secrets Manager. • When access token expires, the app retrieves refresh token and uses it to fetch a new access token.
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Technical Deep Dive
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Background: IAM Roles AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Retrieve Secret AWS Resources Your Code Operating System EC2 Instance Authorized call toSecrets Manager Other Resources AWS credentials plumbed (as before) DB creds loaded DB creds returnedconnection established Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Rotate Secret (Integrated) AWS Secrets Manager Your Code Integrated Backend Resource 1) Rotation event 2) New credential creation initiated 3) New credential creation completed 4) New credential promoted to active 5) Secret retrieval gets new version 6) Connection using new credential
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine grained access controls Implement using IAM Policies • Specify permissions attached to IAM principals (roles, users, or groups). • Control secret management (e.g. rotation, metadata) and use (e.g. retrieval) independently. • Use secret id or tags to define fine grained access controls to collections of secrets or an individual secret. Controlling management and access to secrets
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Encryption At-rest • Secrets encrypted at rest using AWS Key Management Service (KMS). • Choose your desired Customer Master Key (CMK) or AWS managed default encryption key. In-transit • Secrets encrypted in transit using Transport Layer Security (TLS). • All API calls authenticated by SigV4 verification. All secrets protected at-rest and in-transit
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Comparing AWS Systems Manager Parameter Store AWS Systems Manager Parameter Store AWS Secrets Manager • Secure storage for configuration data, which can include secrets. • Reference values using the unique name specified during creation. • Use parameters in scripts for configuration and automation. • A service to manage the lifecycle for secrets in your organization. • Helps you meet security and compliance requirements by rotating secrets automatically. • Built-in integrations for Amazon RDS that can rotate database credentials on your behalf. • Extensible via Lambda.
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pricing & Availability
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pricing & Availability • Pay only for what you use. No minimum fee. • Two dimensions: storage and access. • Storage: $0.40 per month per secret • Access: $0.05 per 10,000 API calls (reads and writes) • Currently available in: • US East (N. Virginia & Ohio) US West (N. California & Oregon) • Asia Pacific (Mumbai, Seoul, Singapore, Sydney, Tokyo) • EU (Frankfurt, Ireland, London) • Canada (Central), South America (Sao Paulo)
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Getting Started Setup • Grant permissions manage secrets to appropriate IAM roles, users, or groups (IAM Administrator action) Store Secret • Choose secret type • Choose encryption key • Select associated resource • Configure rotation • Provide initial value Retrieve Secret • Retrieve secret using CLI, API, or AWS Management Console
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Questions
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Backups