Managing Secrets IN AWS

MANAGING SECRETS IN AWS

WHO IS THIS GUY? • Mark Wolfe • Devops at
Versent (we are always Hiring) • I still code.

WHY? • Everything we build has secrets • Passwords and
API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets

KMS? • What is KMS? • Hardware Security Modules (HSMs)
• Access control using IAM • Auditing provided by Cloudtrail

KMS? • Encrypt, decrypt, and re-encrypt data • Generate data
keys that can be exported from the service • Generate random numbers

DATA KEYS • Generate a Key • Returns the Key
Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store

DATA KEYS CONT. • Decrypt • Read in the ﬁle
and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data

ENCRYPTION 101 • Don’t trust input data EVER • If
your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)

CREDSTASH • Uses KMS + DynamoDB to securely store credentials
IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!

UNICREDS • Written in golang • Single static binary •
Works on Windows, Linux and OSX • Adds a few additional features, more in the works

OTHER PROJECTS • credstash, the original in Python, well worth
reviewing! • coffer, stores bundles of encrypted ﬁles in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS

TAKEAWAYS • Keep secrets IN your AWS account using tools
such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!

QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau
on Github • Website www.wolfe.id.au

Managing Secrets IN AWS

Managing Secrets IN AWS

Mark Wolfe

More Decks by Mark Wolfe

Other Decks in Technology

Featured

Transcript

MANAGING SECRETS IN AWS

WHO IS THIS GUY? • Mark Wolfe • Devops at

WHY? • Everything we build has secrets • Passwords and

KMS? • What is KMS? • Hardware Security Modules (HSMs)

KMS? • Encrypt, decrypt, and re-encrypt data • Generate data

DATA KEYS • Generate a Key • Returns the Key

DATA KEYS CONT. • Decrypt • Read in the ﬁle

ENCRYPTION 101 • Don’t trust input data EVER • If

CREDSTASH • Uses KMS + DynamoDB to securely store credentials

UNICREDS • Written in golang • Single static binary •

CODE

OTHER PROJECTS • credstash, the original in Python, well worth

TAKEAWAYS • Keep secrets IN your AWS account using tools

QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau