Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault

Outlyer
Outlyer

A review of AWS security concepts, leaks at Beamly, an Introduction to Hashicorp Vault and how we use use Vault at Beamly. Watch YouTube video here: http://bit.ly/25ytNAD Join DevOps Exchange London Meetup: http://bit.ly/22y4Var Follow DOXLON on Twitter: http://bit.ly/1ZdugEJ

1 of 22
Securing your AWS Infrastructure with Hashicorp Vault @njsaunders neil@beamly.com
Contents • A review of AWS security concepts • Leaks at Beamly • An Introduction to Hashicorp Vault • How we use use Vault at Beamly
AWS Credentials Come in pairs: AWS Access Key ID (20 characters, uppercase alphanumeric) AWS Secret Key (Exactly 40 characters, mixed case alphanumeric with symbols) access_key AKIAJ6QZIDJJPHWZ4STA secret_key 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 Ultimately map to one or more “IAM policies” - JSON document that describes what AWS services you can interact with and at what level
Sources of Keys • AWS Root Key – Delete Immediately! • IAM Roles – Assigned to machines on boot – Credentials dynamically generated and automatically rotated (Managed by AWS Client Libraries). As secure as it gets. • IAM Users – Assigned static keys – Used by entities outside of AWS (External services, developers)
Leak 1 Australia DC
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Response • Killed the AWS Root key permanently • Created IAM Roles for services • Everyone ran around redeploying old services to use IAM • Created IAM groups with restricted access (platform, engineering, finance) • Set up individual IAM account for every engineer • Put each user in an IAM group
Leak 2
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Hashicorp Vault: Introduction • A tool to securely store secrets – Passwords – API Keys – Anything you want to tightly control access to • Secrets are encrypted at rest and in transit • HTTP API • Uses pluggable back ends for storage/authentication/auditing
Hashicorp Vault: Storage Backends • Vault supports writing encrypted data to a variety of persistence tiers: – etcd – zookeeper – dynamodb – s3 – mysql – PostgreSQL – Memory – Filesystem – consul • Beamly use Consul
Hashicorp Vault: Authentication Backends • Before you can read data from Vault you need to authenticate • Vault provides a variety of authentication backends: – Username and password – Github – TLS Certificates – LDAP • Beamly use LDAP
Hashicorp Vault: Secrets Backends • In addition to storing static secrets, supports dynamically generating credentials on read – AWS – Cassandra – PostgreSQL – MySQL – MSSQL – PKI – X509 Certificates • Currently Beamly only use the AWS backend
Hashicorp Vault: Policies Control what secrets a vault authenticated user can access path "aws/creds/engineering" { policy = "read" } path "auth/token/lookup-self" { policy = "read" } vault write auth/ldap/groups/engineering policies=engineering Success! Data written to: auth/ldap/groups/engineering vault policy-write engineering vault-acl-engineering.json
Hashicorp Vault: Beamly Setup
Authenticate me (Username, password) Valid? Yes, and member X & Y Vault authentication token Vault authentication token Give me an AWS key & secret (Token) Create IAM user with permissions for X & Y IAM tokens for a new user with X & Y AWS Key & Secret Key with permissions for X & Y Delete user Delete user Token/IAM username
Making it usable for developers • Beamly have a homebrew tap to distribute scripts • brew install platform-tools • Brew formula dependency on Vault • “awsauth” shell script – Reads the uid – Prompts the user for their LDAP password – Authenticates against vault using the uid:password combo – Parses the output and reads the authentication token – Calls Vault to read the AWS secrets backend for the “engineering” policy (By default) using the authentication token previously generated – Sets all combination of environment variables – Writes all popular AWS client files (Boto, aws-cli) – Valid for 1 hour
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Summary • Humans fail: Design for it • Make that philosophy public • Secrets should exist for the least amount of time possible • Vault is a well thought out, well documented, flexible tool
Questions? @njsaunders neil@beamly.com awsauth gist: http://bit.ly/1UAMYFG
LONDON Drury House 34-43 Russell Street London WC2B 5HA NEW YORK CITY 84 Wooster Street Suite 703 New York NY 10012 © Beamly 2014. All Rights Reserved.

More Related Content

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault

  • 1. Securing your AWS Infrastructure with Hashicorp Vault @njsaunders neil@beamly.com
  • 2. Contents • A review of AWS security concepts • Leaks at Beamly • An Introduction to Hashicorp Vault • How we use use Vault at Beamly
  • 3. AWS Credentials Come in pairs: AWS Access Key ID (20 characters, uppercase alphanumeric) AWS Secret Key (Exactly 40 characters, mixed case alphanumeric with symbols) access_key AKIAJ6QZIDJJPHWZ4STA secret_key 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 Ultimately map to one or more “IAM policies” - JSON document that describes what AWS services you can interact with and at what level
  • 4. Sources of Keys • AWS Root Key – Delete Immediately! • IAM Roles – Assigned to machines on boot – Credentials dynamically generated and automatically rotated (Managed by AWS Client Libraries). As secure as it gets. • IAM Users – Assigned static keys – Used by entities outside of AWS (External services, developers)
  • 7. Response • Killed the AWS Root key permanently • Created IAM Roles for services • Everyone ran around redeploying old services to use IAM • Created IAM groups with restricted access (platform, engineering, finance) • Set up individual IAM account for every engineer • Put each user in an IAM group
  • 10. Hashicorp Vault: Introduction • A tool to securely store secrets – Passwords – API Keys – Anything you want to tightly control access to • Secrets are encrypted at rest and in transit • HTTP API • Uses pluggable back ends for storage/authentication/auditing
  • 11. Hashicorp Vault: Storage Backends • Vault supports writing encrypted data to a variety of persistence tiers: – etcd – zookeeper – dynamodb – s3 – mysql – PostgreSQL – Memory – Filesystem – consul • Beamly use Consul
  • 12. Hashicorp Vault: Authentication Backends • Before you can read data from Vault you need to authenticate • Vault provides a variety of authentication backends: – Username and password – Github – TLS Certificates – LDAP • Beamly use LDAP
  • 13. Hashicorp Vault: Secrets Backends • In addition to storing static secrets, supports dynamically generating credentials on read – AWS – Cassandra – PostgreSQL – MySQL – MSSQL – PKI – X509 Certificates • Currently Beamly only use the AWS backend
  • 14. Hashicorp Vault: Policies Control what secrets a vault authenticated user can access path "aws/creds/engineering" { policy = "read" } path "auth/token/lookup-self" { policy = "read" } vault write auth/ldap/groups/engineering policies=engineering Success! Data written to: auth/ldap/groups/engineering vault policy-write engineering vault-acl-engineering.json
  • 16. Authenticate me (Username, password) Valid? Yes, and member X & Y Vault authentication token Vault authentication token Give me an AWS key & secret (Token) Create IAM user with permissions for X & Y IAM tokens for a new user with X & Y AWS Key & Secret Key with permissions for X & Y Delete user Delete user Token/IAM username
  • 17. Making it usable for developers • Beamly have a homebrew tap to distribute scripts • brew install platform-tools • Brew formula dependency on Vault • “awsauth” shell script – Reads the uid – Prompts the user for their LDAP password – Authenticates against vault using the uid:password combo – Parses the output and reads the authentication token – Calls Vault to read the AWS secrets backend for the “engineering” policy (By default) using the authentication token previously generated – Sets all combination of environment variables – Writes all popular AWS client files (Boto, aws-cli) – Valid for 1 hour
  • 20. Summary • Humans fail: Design for it • Make that philosophy public • Secrets should exist for the least amount of time possible • Vault is a well thought out, well documented, flexible tool
  • 22. LONDON Drury House 34-43 Russell Street London WC2B 5HA NEW YORK CITY 84 Wooster Street Suite 703 New York NY 10012 © Beamly 2014. All Rights Reserved.