SlideShare a Scribd company logo

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

AWS Chicago
AWS Chicago

Turbo talk 1: "AWS secret manager for protecting and rotating credentials" - Mike Allen, CIO at Morningstar // @mikeoninfosec OWASP + AWS user groups: Using the OWASP Top 10 in AWS

Technology
1 of 35
Download to read offline
©2018 Morningstar, Inc. All rights reserved. Michael Allen, CIO – 10-24-2018 AWS Secrets Manager
Where lots of bad decisions are made….
When a security person sees a password dialog box
When everyone else sees a password dialog box
Proof! - Top Passwords of 2017
The Problem ▪ OWASP TOP 10 – A3 – Sensitive Data Exposure ▪ Many web applications and APIs do not properly protect sensitive data, including passwords, encryption keys, etc. ▪ Developers check in passwords, encryption keys, AWS secrets, etc. into source code repositories (sometimes public) and bad things happen ▪ Passwords are often poorly generated and not rotated frequently ▪ When a password is compromised, it is difficult to change due to it being used in many, disparate locations ▪ Bad password managements lead to data breaches
Overview of AWS Secrets Manager ▪ Makes it easier to rotate, manage and retrieve database credentials, API keys, and other secrets throughout their lifecycle ▪ Particularly good when using built in AWS services like RDS databases as it enables auto rotation ▪ Is region specific (e.g. Ohio and Virginia are completely distinct) ▪ Common Users of Secrets Manager: ▪IT Admins: store and manage access to secrets securely and at scale ▪Security admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications ▪Developers: avoid having to deal with storing secrets in their applications and prevent the security team from cutting you a finding. ☺
Typical Use Case ▪ Connect to a database from application code ▪ Step 1: DBA loads application specific password into secrets manager ▪ Step 2: DevOps engineer deploys application with an attached IAM role ▪ Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credential and connects to the database ▪ DevOps engineer never has access to password! ▪ Password set to automatically rotate
Secrets Manager High Level Overview
Structure of a Secret
Desired Password Lifecycle ▪ Secure and manage secrets centrally ▪ Can store, view, and manage all your secrets in one secure password vault ▪ Secrets manager encrypts these secrets with encryption keys you own and control ▪ Integrated with CloudTrail and CloudWatch for logging and monitoring to meet compliance needs ▪ Example: can be configured to send notification when an admin deletes a secret as an example
Example Cloud Trail Log
Desired Password Lifecycle ▪ IAM Policies: ▪ Tag-based access control and hierarchical names ▪ Resource-based policies for cross-account access ▪ Can restrict access to passwords using MFA or even corporate IP address range ▪ Example: only allow folks to access production passwords from trusted network
Access Control – Using IAM Policies
Desired Password Lifecycle ▪ Rotate Secrets Safely ▪ One-click password rotation for supported AWS services ▪ Built-in integrations for rotating MySQL, PostgreSQL and Amazon Aurora on RDS ▪ Can create custom integrations using Lambda ▪ Uses versioning so that applications won’t break when secrets are rotated
How Much Does It Cost? ▪ Pay only for what you use (no minimum) ▪ Storage: $0.40/month per secret ▪ Access: $0.05 per 10,000 API calls (reads and writes)
©2018 Morningstar, Inc. All rights reserved. Demo #1 - Interface demo and example password creation / storage
Secret Manager Interface
©2018 Morningstar, Inc. All rights reserved. Demo #2 – Retrieving a password in code
Before dbconfig.py gConfiguration file with passwords stored in plain text gConfig file checked into source code repository gNot secure
After retrieve_demo.py ▪ No passwords stored in plain text ▪ IAM role configured on EC2 instance giving permission to retrieve secret from secret manager ▪ OK to check into source code repository ▪ Configurable based on environment / application Name of Secret & Region
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Retrieving a password via AWS CLI
Example of CLI ▪ Step 1: Install AWS CLI and use “aws configure” to setup authentication and region ▪ Step 2: Use “aws secretsmanager help” to show a list of available commands ▪ Step 3: List all secrets in vault ▪ Use “aws secretsmanager list-secrets” ▪ Step 4: Retrieve value of a specific secret ▪ Use “aws secretsmanager get-secret-value –secret-id “dev/app1/database” ▪ Can also create, delete, rotate secrets using CLI ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Rotating an RDS Database Password
Password Rotation Workflow ▪ Step 1: Secrets manager creates a new password with equivalent permissions ▪ Step 2: The new password is promoted and returned via subsequent secrets manager API calls ▪ Step 3: Secrets manager safely disables the original credential ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
Example of Password Rotation ▪ Rotation interval is configurable (30,60, 90 days) ▪ Creates a Lambda function to handle rotation for RDS
Password Rotation Lambda ▪ Built in Lambda functions for RDS ▪ Can create your own custom Lambda’s for other applications that you wish to rotate (extensible)
©2018 Morningstar, Inc. All rights reserved. Demo #3 – Notifying on delete
Notification Workflow ▪ #1 - Enable cloud trail ▪ #2 – Configure cloud trail log file delivery to cloud watch logs ▪ #3 – Create a CloudWatch alarm for a delete event
How keys are protected? ▪ How are the secrets protected? ▪ Secrets manager integrates with Amazon KMS to protect the secrets ▪ Every secret is protected with a unique data encryption key which is in turn protected via a customer master key. Secrets are protected using envelope encryption ▪ You can use the same or different customer master keys for each secret you protect ▪ You can change the customer master key (CMK) at any time but secrets manager does not re-encrypt existing secrets using the new CMK until the value changes.
Ways to access secrets ▪ Programmatically via supplied SDKs and boto3 ▪ Via API call ▪ Must use TLS and Perfect Forward Secrecy ▪ Must authenticate with a signed request using AWS secret key ▪ Via AWS CLI
What’s missing? ▪ No “break glass” functionality (yet). ▪ No support for “dynamic” secrets (e.g. secrets that are generated on the fly and live for a specific duration of time)
Reference Material ▪ When building this presentation, I leveraged slide material and documentation from both Amazon Web Services and OWASP (thanks to both of these awesome organizations).
Questions?

Recommended

Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...AWS Chicago
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS User Group Bengaluru
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practicesMichael Pearce
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 

Recommended

Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...AWS Chicago
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS User Group Bengaluru
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practicesMichael Pearce
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...
Keep It Secret, Keep It Safe Credentials and Secrets Management on AWS - AWS ...Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAdam Book
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsSebastian Taphanel CISSP-ISSEP
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsAkamai Developers & Admins
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar Mitchell Pronschinske
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experienceNick Malcolm
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayaNirmalaGopal
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key ManagementMongoDB
 

More Related Content

What's hot

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAdam Book
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitAmazon Web Services
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsSebastian Taphanel CISSP-ISSEP
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsAkamai Developers & Admins
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...Amazon Web Services
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experienceNick Malcolm
 

What's hot (20)

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
 
AWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets ManagerAWS Atlanta meetup Secrets Manager
AWS Atlanta meetup Secrets Manager
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
 
Connecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security EventsConnecting Your SIEM Tool with Akamai Security Events
Connecting Your SIEM Tool with Akamai Security Events
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
MongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to AtlasMongoDB World 2019: Lift & Shift MongoDB to Atlas
MongoDB World 2019: Lift & Shift MongoDB to Atlas
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
 
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
The Automation of Supervision: How Regulators and Audit Teams are using AWS t...
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi Vault
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experience
 

Similar to Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayaNirmalaGopal
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key ManagementMongoDB
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptxVijayaNirmalaGopal
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Amazon Web Services
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
MySQL Security on AWS Rds
MySQL Security on AWS RdsMySQL Security on AWS Rds
MySQL Security on AWS RdsMydbops
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...Amazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionAmazon Web Services
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitAmazon Web Services
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 

Similar to Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials" (20)

Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key Management
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
MySQL Security on AWS Rds
MySQL Security on AWS RdsMySQL Security on AWS Rds
MySQL Security on AWS Rds
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 
AWS Secrets for Best Practices
AWS Secrets for Best PracticesAWS Secrets for Best Practices
AWS Secrets for Best Practices
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 

More from AWS Chicago

AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...AWS Chicago
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxAWS Chicago
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfAWS Chicago
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaAWS Chicago
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxAWS Chicago
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxAWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfAWS Chicago
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxAWS Chicago
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfAWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfAWS Chicago
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxAWS Chicago
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxAWS Chicago
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfAWS Chicago
 
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...AWS Chicago
 
MichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxMichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxAWS Chicago
 
Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfAWS Chicago
 
Kamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxKamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxAWS Chicago
 
John Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxJohn Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxAWS Chicago
 
JuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxJuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxAWS Chicago
 

More from AWS Chicago (20)

AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdf
 
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...
 
MichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptxMichaelSoule-UsingJupyterNotebooks.pptx
MichaelSoule-UsingJupyterNotebooks.pptx
 
Michal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdfMichal Brygidyn_CloudHackingScenarios.pdf
Michal Brygidyn_CloudHackingScenarios.pdf
 
Kamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptxKamil Kolodziejski_Structura-AWS.pptx
Kamil Kolodziejski_Structura-AWS.pptx
 
John Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptxJohn Merline AWS Certification FAQ.pptx
John Merline AWS Certification FAQ.pptx
 
JuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptxJuliaFMorgado_Breaking_bad_habits.pptx
JuliaFMorgado_Breaking_bad_habits.pptx
 

Recently uploaded

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating credentials"

  • 1. ©2018 Morningstar, Inc. All rights reserved. Michael Allen, CIO – 10-24-2018 AWS Secrets Manager
  • 2. Where lots of bad decisions are made….
  • 3. When a security person sees a password dialog box
  • 4. When everyone else sees a password dialog box
  • 5. Proof! - Top Passwords of 2017
  • 6. The Problem ▪ OWASP TOP 10 – A3 – Sensitive Data Exposure ▪ Many web applications and APIs do not properly protect sensitive data, including passwords, encryption keys, etc. ▪ Developers check in passwords, encryption keys, AWS secrets, etc. into source code repositories (sometimes public) and bad things happen ▪ Passwords are often poorly generated and not rotated frequently ▪ When a password is compromised, it is difficult to change due to it being used in many, disparate locations ▪ Bad password managements lead to data breaches
  • 7. Overview of AWS Secrets Manager ▪ Makes it easier to rotate, manage and retrieve database credentials, API keys, and other secrets throughout their lifecycle ▪ Particularly good when using built in AWS services like RDS databases as it enables auto rotation ▪ Is region specific (e.g. Ohio and Virginia are completely distinct) ▪ Common Users of Secrets Manager: ▪IT Admins: store and manage access to secrets securely and at scale ▪Security admins: audit and monitor the use of secrets, and rotate secrets without a risk of breaking applications ▪Developers: avoid having to deal with storing secrets in their applications and prevent the security team from cutting you a finding. ☺
  • 8. Typical Use Case ▪ Connect to a database from application code ▪ Step 1: DBA loads application specific password into secrets manager ▪ Step 2: DevOps engineer deploys application with an attached IAM role ▪ Application bootstrapping calls Secrets Manager using permissions provided by the IAM role, retrieves credential and connects to the database ▪ DevOps engineer never has access to password! ▪ Password set to automatically rotate
  • 9. Secrets Manager High Level Overview
  • 10. Structure of a Secret
  • 11. Desired Password Lifecycle ▪ Secure and manage secrets centrally ▪ Can store, view, and manage all your secrets in one secure password vault ▪ Secrets manager encrypts these secrets with encryption keys you own and control ▪ Integrated with CloudTrail and CloudWatch for logging and monitoring to meet compliance needs ▪ Example: can be configured to send notification when an admin deletes a secret as an example
  • 13. Desired Password Lifecycle ▪ IAM Policies: ▪ Tag-based access control and hierarchical names ▪ Resource-based policies for cross-account access ▪ Can restrict access to passwords using MFA or even corporate IP address range ▪ Example: only allow folks to access production passwords from trusted network
  • 14. Access Control – Using IAM Policies
  • 15. Desired Password Lifecycle ▪ Rotate Secrets Safely ▪ One-click password rotation for supported AWS services ▪ Built-in integrations for rotating MySQL, PostgreSQL and Amazon Aurora on RDS ▪ Can create custom integrations using Lambda ▪ Uses versioning so that applications won’t break when secrets are rotated
  • 16. How Much Does It Cost? ▪ Pay only for what you use (no minimum) ▪ Storage: $0.40/month per secret ▪ Access: $0.05 per 10,000 API calls (reads and writes)
  • 17.
  • 18. ©2018 Morningstar, Inc. All rights reserved. Demo #1 - Interface demo and example password creation / storage
  • 20. ©2018 Morningstar, Inc. All rights reserved. Demo #2 – Retrieving a password in code
  • 21. Before dbconfig.py gConfiguration file with passwords stored in plain text gConfig file checked into source code repository gNot secure
  • 22. After retrieve_demo.py ▪ No passwords stored in plain text ▪ IAM role configured on EC2 instance giving permission to retrieve secret from secret manager ▪ OK to check into source code repository ▪ Configurable based on environment / application Name of Secret & Region
  • 23. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Retrieving a password via AWS CLI
  • 24. Example of CLI ▪ Step 1: Install AWS CLI and use “aws configure” to setup authentication and region ▪ Step 2: Use “aws secretsmanager help” to show a list of available commands ▪ Step 3: List all secrets in vault ▪ Use “aws secretsmanager list-secrets” ▪ Step 4: Retrieve value of a specific secret ▪ Use “aws secretsmanager get-secret-value –secret-id “dev/app1/database” ▪ Can also create, delete, rotate secrets using CLI ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
  • 25. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Rotating an RDS Database Password
  • 26. Password Rotation Workflow ▪ Step 1: Secrets manager creates a new password with equivalent permissions ▪ Step 2: The new password is promoted and returned via subsequent secrets manager API calls ▪ Step 3: Secrets manager safely disables the original credential ▪ Versioning is used to make this happen (CURRENT vs. PREVIOUS)
  • 27. Example of Password Rotation ▪ Rotation interval is configurable (30,60, 90 days) ▪ Creates a Lambda function to handle rotation for RDS
  • 28. Password Rotation Lambda ▪ Built in Lambda functions for RDS ▪ Can create your own custom Lambda’s for other applications that you wish to rotate (extensible)
  • 29. ©2018 Morningstar, Inc. All rights reserved. Demo #3 – Notifying on delete
  • 30. Notification Workflow ▪ #1 - Enable cloud trail ▪ #2 – Configure cloud trail log file delivery to cloud watch logs ▪ #3 – Create a CloudWatch alarm for a delete event
  • 31. How keys are protected? ▪ How are the secrets protected? ▪ Secrets manager integrates with Amazon KMS to protect the secrets ▪ Every secret is protected with a unique data encryption key which is in turn protected via a customer master key. Secrets are protected using envelope encryption ▪ You can use the same or different customer master keys for each secret you protect ▪ You can change the customer master key (CMK) at any time but secrets manager does not re-encrypt existing secrets using the new CMK until the value changes.
  • 32. Ways to access secrets ▪ Programmatically via supplied SDKs and boto3 ▪ Via API call ▪ Must use TLS and Perfect Forward Secrecy ▪ Must authenticate with a signed request using AWS secret key ▪ Via AWS CLI
  • 33. What’s missing? ▪ No “break glass” functionality (yet). ▪ No support for “dynamic” secrets (e.g. secrets that are generated on the fly and live for a specific duration of time)
  • 34. Reference Material ▪ When building this presentation, I leveraged slide material and documentation from both Amazon Web Services and OWASP (thanks to both of these awesome organizations).