Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Replacing Long-lived Passwords with Dynamic Secrets

Replacing Long-lived Passwords with Dynamic Secrets

In this presentation, I explain how to replace long-lived and hardcoded passwords with dynamic secrets, managed by access policies and revoked after use.

This version of the talk was given at the 2023 Edition of Atlanta Cloud Conference.

Kerim Satirli

March 25, 2023
Tweet

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. CMS Configuration CraftCMS.env # Required variables: CRAFT_APP_ID=... CRAFT_ENVIRONMENT=dev CRAFT_SECURITY_KEY=... #

    Database-specific variables: CRAFT_DB_DRIVER=postgresql CRAFT_DB_SERVER=postgresq.service.us-east-2.consul CRAFT_DB_PORT=5342 CRAFT_DB_DATABASE=atlcc CRAFT_DB_USER=ethan CRAFT_DB_PASSWORD=AW96B6 CRAFT_DB_SCHEMA=public CRAFT_DB_TABLE_PREFIX=atlcc
  2. !

  3. Dynamic Secrets created when needed, not weeks ago can be

    revoked manually, if need be allow for highly specific policies per secret expire at a pre-set interval
  4. > CSP Secrets via the CLI Terminal vault read aws-us-west-2/creds/uploader

    Key Value --- ----- lease_id l3knWmDm1XBjSOIFtCrHT4ZD lease_duration 1m lease_renewable true access_key AKIATI4IYJK5TXW644LA secret_key ********************************
  5. resource "vault_aws_secret_backend" "main" { access_key = var.aws_access_key secret_key = var.aws_secret_key

    default_lease_ttl_seconds = 60 path = "aws" region = each.key } CSP Secrets Configuration via Terraform secrets_backends.tf
  6. { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObject",

    "s3:ListObjectsV2", "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${S3_BUCKET_NAME}", "arn:aws:s3:::${S3_BUCKET_NAME}/*" ] }, { "Action": [ "cloudfront:CreateInvalidation" ], iam-policy-uploader.tmpl.json Policy Template