Managing Secrets IN AWS

Slide 1

Slide 1 text

MANAGING SECRETS IN AWS

Slide 2

Slide 2 text

WHO IS THIS GUY? • Mark Wolfe • Devops at Versent (we are always Hiring) • I still code.

Slide 3

Slide 3 text

WHY? • Everything we build has secrets • Passwords and API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets

Slide 4

Slide 4 text

KMS? • What is KMS? • Hardware Security Modules (HSMs) • Access control using IAM • Auditing provided by Cloudtrail

Slide 5

Slide 5 text

KMS? • Encrypt, decrypt, and re-encrypt data • Generate data keys that can be exported from the service • Generate random numbers

Slide 6

Slide 6 text

DATA KEYS • Generate a Key • Returns the Key Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store

Slide 7

Slide 7 text

DATA KEYS CONT. • Decrypt • Read in the ﬁle and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data

Slide 8

Slide 8 text

ENCRYPTION 101 • Don’t trust input data EVER • If your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)

Slide 9

Slide 9 text

CREDSTASH • Uses KMS + DynamoDB to securely store credentials IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!

Slide 10

Slide 10 text

UNICREDS • Written in golang • Single static binary • Works on Windows, Linux and OSX • Adds a few additional features, more in the works

Slide 11

Slide 11 text

CODE

Slide 12

Slide 12 text

OTHER PROJECTS • credstash, the original in Python, well worth reviewing! • coffer, stores bundles of encrypted ﬁles in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS

Slide 13

Slide 13 text

TAKEAWAYS • Keep secrets IN your AWS account using tools such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!

Slide 14

Slide 14 text

QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau on Github • Website www.wolfe.id.au