Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets IN AWS

Mark Wolfe
February 24, 2016

Managing Secrets IN AWS

Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016

Mark Wolfe

February 24, 2016
Tweet

More Decks by Mark Wolfe

Other Decks in Technology

Transcript

  1. MANAGING SECRETS IN AWS

    View Slide

  2. WHO IS THIS GUY?
    • Mark Wolfe
    • Devops at Versent (we are always Hiring)
    • I still code.

    View Slide

  3. WHY?
    • Everything we build has secrets
    • Passwords and API keys for a plethora of services
    we consume
    • We don’t want to put these secrets in our code!?
    • We want to control and audit access to our secrets

    View Slide

  4. KMS?
    • What is KMS?
    • Hardware Security Modules (HSMs)
    • Access control using IAM
    • Auditing provided by Cloudtrail

    View Slide

  5. KMS?
    • Encrypt, decrypt, and re-encrypt data
    • Generate data keys that can be exported from
    the service
    • Generate random numbers

    View Slide

  6. DATA KEYS
    • Generate a Key
    • Returns the Key Encrypted and Decrypted
    • Use the Key to encrypt
    • Append the Encrypted Key and Encrypted data
    together and store

    View Slide

  7. DATA KEYS CONT.
    • Decrypt
    • Read in the file and split into the Encrypted Key
    and Encrypted Data
    • Pass the Encrypted Key blog to KMS and get back
    the Decrypted Key
    • Use the Decrypted Key to Decrypt the data

    View Slide

  8. ENCRYPTION 101
    • Don’t trust input data EVER
    • If your using AES ensure you also have a HMAC
    signature for the encrypted data
    • Validate the signature prior to decrypting the data
    • Or use secret box by Dan Bernstein (DJB)

    View Slide

  9. CREDSTASH
    • Uses KMS + DynamoDB to securely store
    credentials IN AWS
    • KMS is controlled by IAM, so therefore so is
    Credstash
    • Versent maintains a fork of credstash which is
    called unicreds!

    View Slide

  10. UNICREDS
    • Written in golang
    • Single static binary
    • Works on Windows, Linux and OSX
    • Adds a few additional features, more in the works

    View Slide

  11. CODE

    View Slide

  12. OTHER PROJECTS
    • credstash, the original in Python, well worth
    reviewing!
    • coffer, stores bundles of encrypted files in S3 also
    using KMS for key management
    • aws-vault, securely store and access credentials for
    AWS

    View Slide

  13. TAKEAWAYS
    • Keep secrets IN your AWS account using tools
    such as credstash, unicreds and coffer!
    • KMS is a great service, if your interested download
    the SDK and give it a try
    • Try these tools and out discuss whats good/bad/
    ugly for you!

    View Slide

  14. QUESTIONS
    • Fire away.
    • @wolfeidau on Twitter
    • wolfeidau on Github
    • Website www.wolfe.id.au

    View Slide