Replacing Long-lived Passwords with Dynamic Secrets

Transcript

1. Replacing Long-lived Passwords with Dynamic Secrets

2. Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim

   Satirli

3. CMS Configuration CraftCMS.env # Required variables: CRAFT_APP_ID=... CRAFT_ENVIRONMENT=dev CRAFT_SECURITY_KEY=... #

   Database-specific variables: CRAFT_DB_DRIVER=postgresql CRAFT_DB_SERVER=postgresq.service.us-east-2.consul CRAFT_DB_PORT=5342 CRAFT_DB_DATABASE=atlcc CRAFT_DB_USER=ethan CRAFT_DB_PASSWORD=AW96B6 CRAFT_DB_SCHEMA=public CRAFT_DB_TABLE_PREFIX=atlcc

4. CMS Configuration .gitignore ### CraftCMS ### .env # Caches /cache

   /cache-db # Log files *.log logs/*

5. 01 Security is Hard.

6. None

7. Your Secrets Won’t Be.

8. Challenge: Hard-coded Secrets

9. Challenge: Rotating Secrets

10. Solution: Defence-in-Depth

11. !

12. Static Secrets 02

13. Demo: KV v2

14. Dynamic Secrets 03

15. Dynamic Secrets created when needed, not weeks ago can be

    revoked manually, if need be allow for highly specific policies per secret expire at a pre-set interval

16. CSP Secrets https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader

17. https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader CSP Secrets

18. > CSP Secrets via the CLI Terminal vault read aws-us-west-2/creds/uploader

    Key Value --- ----- lease_id l3knWmDm1XBjSOIFtCrHT4ZD lease_duration 1m lease_renewable true access_key AKIATI4IYJK5TXW644LA secret_key ********************************

19. resource "vault_aws_secret_backend" "main" { access_key = var.aws_access_key secret_key = var.aws_secret_key

    default_lease_ttl_seconds = 60 path = "aws" region = each.key } CSP Secrets Configuration via Terraform secrets_backends.tf

20. { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObject",

    "s3:ListObjectsV2", "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${S3_BUCKET_NAME}", "arn:aws:s3:::${S3_BUCKET_NAME}/*" ] }, { "Action": [ "cloudfront:CreateInvalidation" ], iam-policy-uploader.tmpl.json Policy Template

21. Security is a Team Sport.

22. Thank you speakerdeck.com/ksatirli