Replacing Long-lived Passwords with Dynamic Secrets

Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim Satirli

CMS Configuration CraftCMS.env # Required variables: CRAFT_APP_ID=... CRAFT_ENVIRONMENT=dev CRAFT_SECURITY_KEY=... # Database-specific variables: CRAFT_DB_DRIVER=postgresql CRAFT_DB_SERVER=postgresq.service.us-east-2.consul CRAFT_DB_PORT=5342 CRAFT_DB_DATABASE=atlcc CRAFT_DB_USER=ethan CRAFT_DB_PASSWORD=AW96B6 CRAFT_DB_SCHEMA=public CRAFT_DB_TABLE_PREFIX=atlcc

CMS Configuration .gitignore ### CraftCMS ### .env # Caches /cache /cache-db # Log files *.log logs/*

01 Security is Hard.

No content

Your Secrets Won’t Be.

Challenge: Hard-coded Secrets

Challenge: Rotating Secrets

Solution: Defence-in-Depth

!

Static Secrets 02

Demo: KV v2

Dynamic Secrets 03

Dynamic Secrets created when needed, not weeks ago can be revoked manually, if need be allow for highly specific policies per secret expire at a pre-set interval

CSP Secrets https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader

https://vault.svcs.dev:8200/ui/vault/secrets/aws-us-west-2/credentials/uploader CSP Secrets

> CSP Secrets via the CLI Terminal vault read aws-us-west-2/creds/uploader Key Value --- ----- lease_id l3knWmDm1XBjSOIFtCrHT4ZD lease_duration 1m lease_renewable true access_key AKIATI4IYJK5TXW644LA secret_key ********************************

resource "vault_aws_secret_backend" "main" { access_key = var.aws_access_key secret_key = var.aws_secret_key default_lease_ttl_seconds = 60 path = "aws" region = each.key } CSP Secrets Configuration via Terraform secrets_backends.tf

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListObjectsV2", "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${S3_BUCKET_NAME}", "arn:aws:s3:::${S3_BUCKET_NAME}/*" ] }, { "Action": [ "cloudfront:CreateInvalidation" ], iam-policy-uploader.tmpl.json Policy Template

Security is a Team Sport.

Thank you speakerdeck.com/ksatirli