SlideShare a Scribd company logo
1 of 21
Download to read offline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices & Use cases -
AWS Secrets Manager
Vijaya Nirmala Gopal
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vijaya Nirmala Gopal (Nirmala)
DevOps Solutions Lead - Cloud,
Sonata Software Limited
https://cloudgoddess.blogspot.com/
Ansible Galaxy Contributor
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
❏ AWS Secrets Manager Overview
❏ Top security threats with Credentials
❏ Overlooked Risks
❏ Compliances for AWS & Cloud
❏ Use case for the day
❏ Logging/Monitoring - Cloudwatch
❏ Auditing - CloudTrail
❏ Notifications - SNS
❏ Recover & Restore
❏ With Infrastructure as Code
❏ For Configuration Management Solution
❏ Quick compare
❏ Need of the moment
Agenda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager - Overview
❏ Key Features - hold & automate secret rotation
Automatic password generator [aws cli]
❏ Pay as you go; No upfront or setup cost
❏ Fine grained IAM access control
❏ Compliance
❏ Audit/Monitor
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top security threats
Risk Assessments shows below reasons
● Open network ports
● Broad permissions for Application(s)
● Wider privileges for IAM user
● Unprotected keys and credentials
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overlooked Risks ???
Shared by Teri Radichel, CEO, 2nd Sight Lab, AWS Community Hero
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PCI DSS & CIS with AWS Secrets
Manager
❏ Enforcement on securing credentials
❏ Defined rules for IAM or any other credentials
❏ Recommends/demands keys rotation
❏ Enable sufficient logging
❏ Have audit controls in place
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use case - AWS Secrets Manager
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SSM - AWS CLI
Creation & Retrieval of secrets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure provisioning - Use cases
How efficient is secrets with Cloudformation
● Use resolve tag to fetch or refer the secrets from Secrets Manager
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}
“MasterPassword”: ‘{{ resolve:secretsmanager:RDS-master-password:SecretString:password}}’
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure provisioning - Use cases
How efficient is secrets with Terraform
● Use terraform module ‘aws_secretsmanager_secret’ and
‘aws_secretsmanager_secret_version’ create secrets
● Use output to view the secrets
● AWS CLI for fetching the secrets in user_data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
How secrets fit with Ansible
❏ Ansible aws_secret - Lookup plugin for
secrets manager
❏ Use & register with CLI
❏ Know how to fetch and store
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
Fetch using AWS CLI
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Management - Use cases
Fetch using API(ex. Python)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auditing Secrets Usage - CloudTrail
❏ Risk Assessments shows below reasons against
credentials misuse
❏ Open network ports
❏ Broad permissions for Application(s)
❏ Wider privileges for IAM user
❏ Unprotected keys and credentials
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudTrail - Delete
❏ what happens on Delete
❏ Be known to mischievous actions
❏ Take back the decision in 7 days
❏ Think through the decision
❏ Check integrity by running regressions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring/Logging Secrets - CloudWatch
❏ Calls made
❏ Access error messages
❏ Sources reaching onto access secrets with timelines
❏ Analyse and action of unused or unrotated secrets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SNS - AWS Secrets Manager
Get alerted on actions or customize triggers for alert
❏ On Delete
❏ On permission denied to track suspicious access
❏ API Calls
❏ Other examples
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparison with other options
AWS SSM Parameter store
❏ Rotate with custom Lambda
❏ Lambda creation and maintenance
❏ No Cross account access
❏ S3 - In Rest & Transit Encrypted texts
❏ Ansible Vault
❏ VM or Instance
❏ Custom made mechanism to rotate
AWS Secrets Manager
❏ All secrets are encrypted
❏ Built in Lambda to rotate
secrets
❏ Billed per secret stored and
API calls
❏ Integration password rotation
❏ Random password generation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step Ahead - git-secrets
Access Keys/Credentials in Git Repos
❏ scrutinize the most valuable targets
❏ prevents keys/credentials anywhere in/into repos
❏ Add as Jenkins job to checkout repos dynamically and
scan and report
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!

More Related Content

What's hot

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Amazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by designRichard Harvey
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Real-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepReal-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepAmazon Web Services
 
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
 

What's hot (20)

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Real-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepReal-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab Prep
 
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 

Similar to AWS Secrets for Best Practices

Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...
Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...
Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayaNirmalaGopal
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and EncryptionRichard Harvey
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Amazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 

Similar to AWS Secrets for Best Practices (20)

Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...
Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...
Mejores prácticas para administrar las operaciones de seguridad en AWS - MXO2...
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and Encryption
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 

More from AWS User Group Bengaluru

Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3AWS User Group Bengaluru
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerAWS User Group Bengaluru
 
Slack's transition away from a single AWS account
Slack's transition away from a single AWS accountSlack's transition away from a single AWS account
Slack's transition away from a single AWS accountAWS User Group Bengaluru
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Medlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit markMedlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit markAWS User Group Bengaluru
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerAWS User Group Bengaluru
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3AWS User Group Bengaluru
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedAWS User Group Bengaluru
 

More from AWS User Group Bengaluru (20)

Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best Practices
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Medlife journey with AWS
Medlife journey with AWSMedlife journey with AWS
Medlife journey with AWS
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful career
 
Slack's transition away from a single AWS account
Slack's transition away from a single AWS accountSlack's transition away from a single AWS account
Slack's transition away from a single AWS account
 
Log analytics with ELK stack
Log analytics with ELK stackLog analytics with ELK stack
Log analytics with ELK stack
 
Serverless Culture
Serverless CultureServerless Culture
Serverless Culture
 
Refactoring to serverless
Refactoring to serverlessRefactoring to serverless
Refactoring to serverless
 
Amazon EC2 Spot Instances Workshop
Amazon EC2 Spot Instances WorkshopAmazon EC2 Spot Instances Workshop
Amazon EC2 Spot Instances Workshop
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Medlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit markMedlife's journey with AWS from 0(zero) orders to 6 digit mark
Medlife's journey with AWS from 0(zero) orders to 6 digit mark
 
Exploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful careerExploring opportunities with communities for a successful career
Exploring opportunities with communities for a successful career
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Amazon EC2 Spot Instances
Amazon EC2 Spot InstancesAmazon EC2 Spot Instances
Amazon EC2 Spot Instances
 
Cost Optimization in AWS
Cost Optimization in AWSCost Optimization in AWS
Cost Optimization in AWS
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
 

Recently uploaded

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Recently uploaded (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

AWS Secrets for Best Practices

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices & Use cases - AWS Secrets Manager Vijaya Nirmala Gopal
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vijaya Nirmala Gopal (Nirmala) DevOps Solutions Lead - Cloud, Sonata Software Limited https://cloudgoddess.blogspot.com/ Ansible Galaxy Contributor
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ❏ AWS Secrets Manager Overview ❏ Top security threats with Credentials ❏ Overlooked Risks ❏ Compliances for AWS & Cloud ❏ Use case for the day ❏ Logging/Monitoring - Cloudwatch ❏ Auditing - CloudTrail ❏ Notifications - SNS ❏ Recover & Restore ❏ With Infrastructure as Code ❏ For Configuration Management Solution ❏ Quick compare ❏ Need of the moment Agenda
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Secrets Manager - Overview ❏ Key Features - hold & automate secret rotation Automatic password generator [aws cli] ❏ Pay as you go; No upfront or setup cost ❏ Fine grained IAM access control ❏ Compliance ❏ Audit/Monitor
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top security threats Risk Assessments shows below reasons ● Open network ports ● Broad permissions for Application(s) ● Wider privileges for IAM user ● Unprotected keys and credentials
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overlooked Risks ??? Shared by Teri Radichel, CEO, 2nd Sight Lab, AWS Community Hero
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PCI DSS & CIS with AWS Secrets Manager ❏ Enforcement on securing credentials ❏ Defined rules for IAM or any other credentials ❏ Recommends/demands keys rotation ❏ Enable sufficient logging ❏ Have audit controls in place
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use case - AWS Secrets Manager
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SSM - AWS CLI Creation & Retrieval of secrets
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Cloudformation ● Use resolve tag to fetch or refer the secrets from Secrets Manager {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}} “MasterPassword”: ‘{{ resolve:secretsmanager:RDS-master-password:SecretString:password}}’
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure provisioning - Use cases How efficient is secrets with Terraform ● Use terraform module ‘aws_secretsmanager_secret’ and ‘aws_secretsmanager_secret_version’ create secrets ● Use output to view the secrets ● AWS CLI for fetching the secrets in user_data
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases How secrets fit with Ansible ❏ Ansible aws_secret - Lookup plugin for secrets manager ❏ Use & register with CLI ❏ Know how to fetch and store
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using AWS CLI
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Management - Use cases Fetch using API(ex. Python)
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing Secrets Usage - CloudTrail ❏ Risk Assessments shows below reasons against credentials misuse ❏ Open network ports ❏ Broad permissions for Application(s) ❏ Wider privileges for IAM user ❏ Unprotected keys and credentials
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudTrail - Delete ❏ what happens on Delete ❏ Be known to mischievous actions ❏ Take back the decision in 7 days ❏ Think through the decision ❏ Check integrity by running regressions
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring/Logging Secrets - CloudWatch ❏ Calls made ❏ Access error messages ❏ Sources reaching onto access secrets with timelines ❏ Analyse and action of unused or unrotated secrets
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SNS - AWS Secrets Manager Get alerted on actions or customize triggers for alert ❏ On Delete ❏ On permission denied to track suspicious access ❏ API Calls ❏ Other examples
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Comparison with other options AWS SSM Parameter store ❏ Rotate with custom Lambda ❏ Lambda creation and maintenance ❏ No Cross account access ❏ S3 - In Rest & Transit Encrypted texts ❏ Ansible Vault ❏ VM or Instance ❏ Custom made mechanism to rotate AWS Secrets Manager ❏ All secrets are encrypted ❏ Built in Lambda to rotate secrets ❏ Billed per secret stored and API calls ❏ Integration password rotation ❏ Random password generation
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step Ahead - git-secrets Access Keys/Credentials in Git Repos ❏ scrutinize the most valuable targets ❏ prevents keys/credentials anywhere in/into repos ❏ Add as Jenkins job to checkout repos dynamically and scan and report
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!