Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Replacing Long-lived Passwords with Dynamic Secrets

Kerim Satirli
PRO
March 25, 2023
Programming
0
94

Replacing Long-lived Passwords with Dynamic Secrets

In this presentation, I explain how to replace long-lived and hardcoded passwords with dynamic secrets, managed by access policies and revoked after use.

This version of the talk was given at the 2023 Edition of Atlanta Cloud Conference.

Kerim Satirli
PRO

March 25, 2023
Tweet

More Decks by Kerim Satirli

See All by Kerim Satirli
How to Secure Edge Compute
ksatirli
PRO
0
12
Patterns that Protect
ksatirli
PRO
0
10
What We Learned from Building Edge Compute
ksatirli
PRO
0
39
Level Up your Infrastructure Skills
ksatirli
PRO
0
110
Kubernetes Ingress with Consul and ngrok
ksatirli
PRO
0
100
How to Get Your Website Into the Cloud
ksatirli
PRO
0
65
Scaling Security when Deploying Globally
ksatirli
PRO
0
150
Simultaneously Deploying Infrastructure across the Globe
ksatirli
PRO
0
69
Learning Infrastructure with a local Compute Cluster
ksatirli
PRO
0
120

Other Decks in Programming

See All in Programming
作って学ぶadbプロトコル / Create and learn adb protocols
ntsk
0
930
Kotlinハイパフォーマンスプログラミング
ohmae
5
3.3k
Compose 첫 걸음 || Compose Migration
juhyung
2
100
iOSエンジニアに求められる役割について
teamlab
PRO
0
190
The Unyielding Spirit Of Android - Droidcon NYC '23
adammc331
1
170
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
510
RustでWasm Runtimeを書いた in UV_Study
skanehira
1
270
AWS Lambdaから始める Devチームの小さなDevOps改善 〜QCDどれも諦めない運用を目指して〜 / Start to improving small DevOps with AWS Lambda by Dev Team
cocoeyes02
0
560
Dagger Hilt로 의존성 주입부터 멀티모듈화까지
fornewid
0
250
祝 Ver.3リリース Fluent UI Blazorのすすめ
tomokusaba
0
120
第4回 AWSとGitHub勉強会 - GitHub Actionsを使ったCD環境の構築 -
ogiwarat
0
130
Compose で Android/iOS アプリを作る
m_coder
0
2k

Featured

See All Featured
Web development in the modern age
philhawksworth
200
9.8k
Building Your Own Lightsaber
phodgson
97
5.2k
Designing for humans not robots
tammielis
246
24k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
[RailsConf 2023] Rails as a piece of cake
palkan
15
2.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
880
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Gamification - CAS2011
davidbonilla
75
4.3k
Docker and Python
trallard
31
2.3k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k

Transcript

  1. Replacing Long-lived Passwords
    with Dynamic Secrets

    View Slide

  2. Sr. Developer Advocate at HashiCorp
    he / him
    @ksatirli
    Kerim
    Satirli

    View Slide

  3. CMS Configuration
    CraftCMS.env
    # Required variables:
    CRAFT_APP_ID=...
    CRAFT_ENVIRONMENT=dev
    CRAFT_SECURITY_KEY=...
    # Database-specific variables:
    CRAFT_DB_DRIVER=postgresql
    CRAFT_DB_SERVER=postgresq.service.us-east-2.consul
    CRAFT_DB_PORT=5342
    CRAFT_DB_DATABASE=atlcc
    CRAFT_DB_USER=ethan
    CRAFT_DB_PASSWORD=AW96B6
    CRAFT_DB_SCHEMA=public
    CRAFT_DB_TABLE_PREFIX=atlcc

    View Slide

  4. CMS Configuration
    .gitignore
    ### CraftCMS ###
    .env
    # Caches
    /cache
    /cache-db
    # Log files
    *.log
    logs/*

    View Slide

  5. 01
    Security is Hard.

    View Slide

  6. View Slide

  7. Your Secrets
    Won’t Be.

    View Slide

  8. Challenge:
    Hard-coded Secrets

    View Slide

  9. Challenge:
    Rotating Secrets

    View Slide

  10. Solution:
    Defence-in-Depth

    View Slide

  11. !

    View Slide

  12. Static Secrets
    02

    View Slide

  13. Demo:
    KV v2

    View Slide

  14. Dynamic Secrets
    03

    View Slide

  15. Dynamic Secrets
    created when needed, not weeks ago
    can be revoked manually, if need be
    allow for highly specific policies per secret
    expire at a pre-set interval

    View Slide

  16. CSP Secrets
    https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader

    View Slide

  17. https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader
    CSP Secrets

    View Slide

  18. >
    CSP Secrets via the CLI
    Terminal
    vault read aws-us-west-2/creds/uploader
    Key Value
    --- -----
    lease_id l3knWmDm1XBjSOIFtCrHT4ZD
    lease_duration 1m
    lease_renewable true
    access_key AKIATI4IYJK5TXW644LA
    secret_key ********************************

    View Slide

  19. resource "vault_aws_secret_backend" "main" {
    access_key = var.aws_access_key
    secret_key = var.aws_secret_key
    default_lease_ttl_seconds = 60
    path = "aws"
    region = each.key
    }
    CSP Secrets Configuration via Terraform
    secrets_backends.tf

    View Slide

  20. {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "s3:DeleteObject",
    "s3:GetObject",
    "s3:ListObjectsV2",
    "s3:PutObject"
    ],
    "Effect": "Allow",
    "Resource": [
    "arn:aws:s3:::${S3_BUCKET_NAME}",
    "arn:aws:s3:::${S3_BUCKET_NAME}/*"
    ]
    }, {
    "Action": [
    "cloudfront:CreateInvalidation"
    ],
    iam-policy-uploader.tmpl.json
    Policy Template

    View Slide

  21. Security is
    a Team Sport.

    View Slide

  22. Thank you
    speakerdeck.com/ksatirli

    View Slide