Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets IN AWS

Avatar for Mark Wolfe Mark Wolfe
February 24, 2016
Technology
0
130

Managing Secrets IN AWS

Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016
Avatar for Mark Wolfe

Mark Wolfe

February 24, 2016
Tweet

More Decks by Mark Wolfe

See All by Mark Wolfe
IP Networking in AWS
Avatar for Mark Wolfe wolfeidau
0
64
Getting Into Vue.js
Avatar for Mark Wolfe wolfeidau
0
190
AWS Automation With Lambda
Avatar for Mark Wolfe wolfeidau
1
88
Ansible and Cloudformation
Avatar for Mark Wolfe wolfeidau
1
220
Docker Security
Avatar for Mark Wolfe wolfeidau
0
180
Building a Proxy in Go
Avatar for Mark Wolfe wolfeidau
2
370
Using JWT to Authenticate Microservices
Avatar for Mark Wolfe wolfeidau
1
240
ESPlant Workshop Firmware Overview and Demos
Avatar for Mark Wolfe wolfeidau
0
120
Go kit - A Distributed Programming Toolkit
Avatar for Mark Wolfe wolfeidau
0
140

Other Decks in Technology

See All in Technology
AWS全冠芸人が見た世界 ~資格取得より大切なこと~
Avatar for モブエンジニア masakiokuda
6
6.5k
AZ 名とAZ ID の違いを 何度でも言うよ
Avatar for Kazuki Miura miu_crescent
PRO
0
110
CodeRabbitと過ごした1ヶ月 ─ AIコードレビュー導入で実感したチーム開発の進化
Avatar for mitohato14 mitohato14
0
190
【Λ(らむだ)】最近のアプデ情報 / RPALT20250422
Avatar for Λ lambda
0
140
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
Avatar for のんピ non97
1
820
10ヶ月かけてstyled-components v4からv5にアップデートした話
Avatar for uhyo uhyo
5
440
グループ ポリシー再確認 (2)
Avatar for Murachi Akira murachiakira
0
190
Databricksで完全履修!オールインワンレイクハウスは実在した!
Avatar for Akihiro Kuwano akuwano
0
130
【Oracle Cloud ウェビナー】ご希望のクラウドでOracle Databaseを実行〜マルチクラウド・ソリューション徹底解説〜
Avatar for oracle4engineer oracle4engineer
PRO
1
130
ビジネスとデザインとエンジニアリングを繋ぐために 一人のエンジニアは何ができるか / What can a single engineer do to connect business, design, and engineering?
Avatar for 株式会社カミナシ kaminashi
2
850
AIエージェント開発手法と業務導入のプラクティス
Avatar for Yoshinori Kosaka ykosaka
9
2.5k
Linuxのパッケージ管理とアップデート基礎知識
Avatar for Go Nishimoto go_nishimoto
0
690

Featured

See All Featured
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
45
9.5k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
177
9.7k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.7k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
5
580
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
410
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
75
5.8k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
276
23k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
798
220k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
187
11k

Transcript

  1. MANAGING SECRETS IN AWS

  2. WHO IS THIS GUY? • Mark Wolfe • Devops at

    Versent (we are always Hiring) • I still code.

  3. WHY? • Everything we build has secrets • Passwords and

    API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets

  4. KMS? • What is KMS? • Hardware Security Modules (HSMs)

    • Access control using IAM • Auditing provided by Cloudtrail

  5. KMS? • Encrypt, decrypt, and re-encrypt data • Generate data

    keys that can be exported from the service • Generate random numbers

  6. DATA KEYS • Generate a Key • Returns the Key

    Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store

  7. DATA KEYS CONT. • Decrypt • Read in the file

    and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data

  8. ENCRYPTION 101 • Don’t trust input data EVER • If

    your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)

  9. CREDSTASH • Uses KMS + DynamoDB to securely store credentials

    IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!

  10. UNICREDS • Written in golang • Single static binary •

    Works on Windows, Linux and OSX • Adds a few additional features, more in the works

  11. CODE

  12. OTHER PROJECTS • credstash, the original in Python, well worth

    reviewing! • coffer, stores bundles of encrypted files in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS

  13. TAKEAWAYS • Keep secrets IN your AWS account using tools

    such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!

  14. QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau

    on Github • Website www.wolfe.id.au