Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets IN AWS

Avatar for Mark Wolfe Mark Wolfe
February 24, 2016
Technology
0
130

Managing Secrets IN AWS

Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016
Avatar for Mark Wolfe

Mark Wolfe

February 24, 2016
Tweet

More Decks by Mark Wolfe

See All by Mark Wolfe
IP Networking in AWS
Avatar for Mark Wolfe wolfeidau
0
64
Getting Into Vue.js
Avatar for Mark Wolfe wolfeidau
0
190
AWS Automation With Lambda
Avatar for Mark Wolfe wolfeidau
1
88
Ansible and Cloudformation
Avatar for Mark Wolfe wolfeidau
1
220
Docker Security
Avatar for Mark Wolfe wolfeidau
0
180
Building a Proxy in Go
Avatar for Mark Wolfe wolfeidau
2
370
Using JWT to Authenticate Microservices
Avatar for Mark Wolfe wolfeidau
1
240
ESPlant Workshop Firmware Overview and Demos
Avatar for Mark Wolfe wolfeidau
0
120
Go kit - A Distributed Programming Toolkit
Avatar for Mark Wolfe wolfeidau
0
140

Other Decks in Technology

See All in Technology
AOAI で AI アプリを開発する時にまず考えたいこと
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
1
690
Next.jsと状態管理のプラクティス
Avatar for uhyo uhyo
5
2k
Как мы автоматизировали интеграционное тестирование с Gonkey и не пожалели. Паша Егорычев, Кирилл Поляков
Avatar for Lamoda Tech lamodatech
0
2.1k
Serverlessだからこそコードと設計にはこだわろう
Avatar for Ken'ichirou Kimura kenichirokimura
2
990
LLMの開発と社会実装の今と未来 / AI Builders' Community (ABC) vol.2
Avatar for Preferred Networks pfn
PRO
1
140
SaaS公式MCPサーバーをリリースして得た学び
Avatar for ryo kawamataryo
4
1.1k
経済メディア編集部の実務に小さく刺さるAI / small-ai-with-editorial
Avatar for Yukiya Nakagawa nkzn
2
390
MCP でモノが動くとおもしろい/It is interesting when things move with MCP
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
2
490
CARTA HOLDINGS エンジニア向け 採用ピッチ資料 / CARTA-GUIDE-for-Engineers
Avatar for CARTA Engineering carta_engineering
0
27k
Oracle Base Database Service 技術詳細
Avatar for oracle4engineer oracle4engineer
PRO
7
64k
とあるEdTechベンチャーのシステム構成こだわりN選 / edtech-system
Avatar for k.goto gotok365
4
290
猫でもわかるS3 Tables【Apache Iceberg編】
Avatar for Hiroo Katoh kentapapa
2
190

Featured

See All Featured
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
179
53k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.2k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
329
24k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
298
20k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.6k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
34
2.2k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
19k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
700

Transcript

  1. MANAGING SECRETS IN AWS

  2. WHO IS THIS GUY? • Mark Wolfe • Devops at

    Versent (we are always Hiring) • I still code.

  3. WHY? • Everything we build has secrets • Passwords and

    API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets

  4. KMS? • What is KMS? • Hardware Security Modules (HSMs)

    • Access control using IAM • Auditing provided by Cloudtrail

  5. KMS? • Encrypt, decrypt, and re-encrypt data • Generate data

    keys that can be exported from the service • Generate random numbers

  6. DATA KEYS • Generate a Key • Returns the Key

    Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store

  7. DATA KEYS CONT. • Decrypt • Read in the file

    and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data

  8. ENCRYPTION 101 • Don’t trust input data EVER • If

    your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)

  9. CREDSTASH • Uses KMS + DynamoDB to securely store credentials

    IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!

  10. UNICREDS • Written in golang • Single static binary •

    Works on Windows, Linux and OSX • Adds a few additional features, more in the works

  11. CODE

  12. OTHER PROJECTS • credstash, the original in Python, well worth

    reviewing! • coffer, stores bundles of encrypted files in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS

  13. TAKEAWAYS • Keep secrets IN your AWS account using tools

    such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!

  14. QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau

    on Github • Website www.wolfe.id.au