Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
7 likes2,084 views
The document outlines strategies for securing AWS infrastructure using HashiCorp Vault at Beamly, emphasizing the importance of managing AWS keys and implementing IAM roles and groups. It introduces HashiCorp Vault as a tool for securely storing secrets, providing various storage and authentication options, and describes Beamly's specific setup and usage of Vault for credential management. Key takeaways include designing for human error, minimizing the lifespan of secrets, and leveraging Vault's flexible capabilities.
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
- 1. Securing your AWS Infrastructure with Hashicorp Vault @njsaunders neil@beamly.com
- 2. Contents • A review of AWS security concepts • Leaks at Beamly • An Introduction to Hashicorp Vault • How we use use Vault at Beamly
- 3. AWS Credentials Come in pairs: AWS Access Key ID (20 characters, uppercase alphanumeric) AWS Secret Key (Exactly 40 characters, mixed case alphanumeric with symbols) access_key AKIAJ6QZIDJJPHWZ4STA secret_key 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 Ultimately map to one or more “IAM policies” - JSON document that describes what AWS services you can interact with and at what level
- 4. Sources of Keys • AWS Root Key – Delete Immediately! • IAM Roles – Assigned to machines on boot – Credentials dynamically generated and automatically rotated (Managed by AWS Client Libraries). As secure as it gets. • IAM Users – Assigned static keys – Used by entities outside of AWS (External services, developers)
- 7. Response • Killed the AWS Root key permanently • Created IAM Roles for services • Everyone ran around redeploying old services to use IAM • Created IAM groups with restricted access (platform, engineering, finance) • Set up individual IAM account for every engineer • Put each user in an IAM group
- 8. Leak 2
- 10. Hashicorp Vault: Introduction • A tool to securely store secrets – Passwords – API Keys – Anything you want to tightly control access to • Secrets are encrypted at rest and in transit • HTTP API • Uses pluggable back ends for storage/authentication/auditing
- 11. Hashicorp Vault: Storage Backends • Vault supports writing encrypted data to a variety of persistence tiers: – etcd – zookeeper – dynamodb – s3 – mysql – PostgreSQL – Memory – Filesystem – consul • Beamly use Consul
- 12. Hashicorp Vault: Authentication Backends • Before you can read data from Vault you need to authenticate • Vault provides a variety of authentication backends: – Username and password – Github – TLS Certificates – LDAP • Beamly use LDAP
- 13. Hashicorp Vault: Secrets Backends • In addition to storing static secrets, supports dynamically generating credentials on read – AWS – Cassandra – PostgreSQL – MySQL – MSSQL – PKI – X509 Certificates • Currently Beamly only use the AWS backend
- 14. Hashicorp Vault: Policies Control what secrets a vault authenticated user can access path "aws/creds/engineering" { policy = "read" } path "auth/token/lookup-self" { policy = "read" } vault write auth/ldap/groups/engineering policies=engineering Success! Data written to: auth/ldap/groups/engineering vault policy-write engineering vault-acl-engineering.json
- 15. Hashicorp Vault: Beamly Setup
- 16. Authenticate me (Username, password) Valid? Yes, and member X & Y Vault authentication token Vault authentication token Give me an AWS key & secret (Token) Create IAM user with permissions for X & Y IAM tokens for a new user with X & Y AWS Key & Secret Key with permissions for X & Y Delete user Delete user Token/IAM username
- 17. Making it usable for developers • Beamly have a homebrew tap to distribute scripts • brew install platform-tools • Brew formula dependency on Vault • “awsauth” shell script – Reads the uid – Prompts the user for their LDAP password – Authenticates against vault using the uid:password combo – Parses the output and reads the authentication token – Calls Vault to read the AWS secrets backend for the “engineering” policy (By default) using the authentication token previously generated – Sets all combination of environment variables – Writes all popular AWS client files (Boto, aws-cli) – Valid for 1 hour
- 20. Summary • Humans fail: Design for it • Make that philosophy public • Secrets should exist for the least amount of time possible • Vault is a well thought out, well documented, flexible tool
- 22. LONDON Drury House 34-43 Russell Street London WC2B 5HA NEW YORK CITY 84 Wooster Street Suite 703 New York NY 10012 © Beamly 2014. All Rights Reserved.