Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

brought a laptop with SSH keys allowlisted hotel IP range disabled VPN ! Security absolutely hated it.

Slide 3

Slide 3 text

Get access to a service, but only when needed and only as long as needed.

Slide 4

Slide 4 text

to a production database, what: where: Get TCP access when: from 13:04 until 13:15, why: to resolve incident #34.

Slide 5

Slide 5 text

What you are about to see is not a product announcement.

Slide 6

Slide 6 text

Gate Privileged Access Controller Transit Secrets Engine Response Automation

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

~ >_ boundary targets list -recursive -filter '"/item/name" matches "postgres"' Target information: ID: ttcp_YMNb5RXsWQ Scope ID: p_yXNBa22BOY Version: 2 Type: tcp Name: postgres Description: Postgres for var.project_identifier Authorized Actions: no-op read update delete authorize-session

Slide 11

Slide 11 text

~ >_ boundary connect postgres -target-id ttcp_YMNb5RXsWQ

Slide 12

Slide 12 text

:activity -- Server activity :locks -- Lock info :waits -- Waiting queires :dbsize -- Database Size :tablesize -- Tables Size :uptime -- Server uptime Development queries: :sp -- Current Search Path :clear -- Clear screen :ll -- List psql (14.3) Type "help" for help. (ksatirli@[postgres]:5432) [postgres] >

Slide 13

Slide 13 text

:activity -- Server activity :locks -- Lock info :waits -- Waiting queires :dbsize -- Database Size :tablesize -- Tables Size :uptime -- Server uptime Development queries: :sp -- Current Search Path :clear -- Clear screen :ll -- List psql (14.3) Type "help" for help. (ksatirli@[postgres]:5432) [postgres] >

Slide 14

Slide 14 text

\l "hashicraft" (ksatirli@[postgres]:5432) [postgres] > List of databases +------------+----------+----------+-------------------+ | Name | Owner | Encoding | Access privileges | +------------+----------+----------+-------------------+ | hashicraft | postgres | UTF8 | | +------------+----------+----------+-------------------+ (1 row) (ksatirli@[postgres]:5432) [postgres] >

Slide 15

Slide 15 text

(ksatirli@[postgres]:5432) [postgres] > ALTER DATABASE hashicraft OWNER TO hashicraft; ALTER DATABASE Time: 0.238 ms (ksatirli@[postgres]:5432) [postgres] > GRANT ALL PRIVILEGES ON DATABASE hashicraft TO hashicraft; GRANT Time: 0.688 ms (ksatirli@[postgres]:5432) [postgres] >

Slide 16

Slide 16 text

\l "hashicraft" (ksatirli@[postgres]:5432) [postgres] > List of databases +------------+------------+----------+---------------------------+ | Name | Owner | Encoding | Access privileges | +------------+------------+----------+---------------------------+ | hashicraft | hashicraft | UTF8 | =Tc/hashicraft +| | | | | hashicraft=CTc/hashicraft | +------------+------------+----------+---------------------------+ (1 row) (ksatirli@[postgres]:5432) [postgres] >

Slide 17

Slide 17 text

TERMINAL \l "hashicraft" (ksatirli@[postgres]:5432) [postgres] > List of databases +------------+------------+----------+---------------------------+ | Name | Owner | Encoding | Access privileges | +------------+------------+----------+---------------------------+ | hashicraft | hashicraft | UTF8 | =Tc/hashicraft +| | | | | hashicraft=CTc/hashicraft | +------------+------------+----------+---------------------------+ (1 row) (ksatirli@[postgres]:5432) [postgres] >

Slide 18

Slide 18 text

TERMINAL \l "hashicraft" (ksatirli@[postgres]:5432) [postgres] > List of databases +------------+------------+----------+---------------------------+ | Name | Owner | Encoding | Access privileges | +------------+------------+----------+---------------------------+ | hashicraft | hashicraft | UTF8 | =Tc/hashicraft +| | | | | hashicraft=CTc/hashicraft | +------------+------------+----------+---------------------------+ (1 row) (ksatirli@[postgres]:5432) [postgres] >

Slide 19

Slide 19 text

\l "hashicraft" (ksatirli@[postgres]:5432) [postgres] > List of databases +------------+------------+----------+---------------------------+ | Name | Owner | Encoding | Access privileges | +------------+------------+----------+---------------------------+ | hashicraft | hashicraft | UTF8 | =Tc/hashicraft +| | | | | hashicraft=CTc/hashicraft | +------------+------------+----------+---------------------------+ (1 row) (ksatirli@[postgres]:5432) [postgres] > Connection closed by foreign host.

Slide 20

Slide 20 text

Gate Privileged Access Controller Transit Secrets Engine Codified Configuration App Deployment Response Automation

Slide 21

Slide 21 text

Run Observe Build Release Delivery

Slide 22

Slide 22 text

Run Observe Response Automation Incident Response Team Incident Triggered ! ALERT

Slide 23

Slide 23 text

Run Observe Response Automation Incident Response Team !? Incident Acknowledged ACKNOWLEDGE

Slide 24

Slide 24 text

Run Observe Response Automation Response Team {} Process Webhook !? Incident Acknowledged Incident

Slide 25

Slide 25 text

Boundary Desktop Postgres Database Grant Access Boundary CLI > _ ___ _ _____ ___ _ ___ __ _ ___ __ __ Incident Resolved {} Process Webhook Incident

Slide 26

Slide 26 text

Response Automation {} Process Webhook Revoke Access Observe Incident Resolved Resolution Relax

Slide 27

Slide 27 text

resource "boundary_host_catalog" "main" { scope_id = var.scope_id type = "static" name = var.host_name } resource "boundary_host" "main" { name = var.host_name address = var.host_address host_catalog_id = boundary_host_catalog.main.id type = "static" } resource "boundary_host_set" "main" { host_catalog_id = boundary_host_catalog.main.id type = "static" Boundary Create Resources for Host, Catalog, and Targets per Service.

Slide 28

Slide 28 text

host_ids = [ boundary_host.main.id ] } resource "boundary_target" "main" { name = var.host_name scope_id = var.scope_id type = "tcp" host_source_ids = [ boundary_host_set.main.id ] Boundary Create Resources for Host, Catalog, and Targets per Service.

Slide 29

Slide 29 text

resource "pagerduty_webhook_subscription" "gate" { type = "webhook_subscription" active = true delivery_method { type = "http_delivery_method" url = true custom_headers = [{ name = "X-Boundary-Project", value = boundary_project.main.id }, { name = "X-Boundary-Targets", value = boundary_target.main.id }] } ... Webhook Custom Headers provide data to map affected service to Boundary Scopes.

Slide 30

Slide 30 text

resource "pagerduty_webhook_subscription" "gate" { ... events = [ "incident.acknowledged", "incident.resolved", ] filter { id = pagerduty_service.gate.id type = "service_reference" } } Webhook Custom Headers provide data to map affected service to Boundary Scopes.

Slide 31

Slide 31 text

to a production database, what: where: Get TCP access when: from 13:04 until 13:15. , why: to resolve incident #34.

Slide 32

Slide 32 text

See this workflow in action in the Dev Lounge during HashiConf. Code will be progressively released via github.com/hashicorp-dev-advocates Resources

Slide 33

Slide 33 text

Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim Satirli

Slide 34

Slide 34 text

@ksatirli [email protected] Thank you