Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016
MANAGING SECRETS IN AWS
WHO IS THIS GUY?
• Mark Wolfe
• Devops at Versent (we are always Hiring)
• I still code.
• Everything we build has secrets
• Passwords and API keys for a plethora of services
• We don’t want to put these secrets in our code!?
• We want to control and audit access to our secrets
• What is KMS?
• Hardware Security Modules (HSMs)
• Access control using IAM
• Auditing provided by Cloudtrail
• Encrypt, decrypt, and re-encrypt data
• Generate data keys that can be exported from
• Generate random numbers
• Generate a Key
• Returns the Key Encrypted and Decrypted
• Use the Key to encrypt
• Append the Encrypted Key and Encrypted data
together and store
DATA KEYS CONT.
• Read in the ﬁle and split into the Encrypted Key
and Encrypted Data
• Pass the Encrypted Key blog to KMS and get back
the Decrypted Key
• Use the Decrypted Key to Decrypt the data
• Don’t trust input data EVER
• If your using AES ensure you also have a HMAC
signature for the encrypted data
• Validate the signature prior to decrypting the data
• Or use secret box by Dan Bernstein (DJB)
• Uses KMS + DynamoDB to securely store
credentials IN AWS
• KMS is controlled by IAM, so therefore so is
• Versent maintains a fork of credstash which is
• Written in golang
• Single static binary
• Works on Windows, Linux and OSX
• Adds a few additional features, more in the works
• credstash, the original in Python, well worth
• coffer, stores bundles of encrypted ﬁles in S3 also
using KMS for key management
• aws-vault, securely store and access credentials for
• Keep secrets IN your AWS account using tools
such as credstash, unicreds and coffer!
• KMS is a great service, if your interested download
the SDK and give it a try
• Try these tools and out discuss whats good/bad/
ugly for you!
• Fire away.
• @wolfeidau on Twitter
• wolfeidau on Github
• Website www.wolfe.id.au