Implementing Compliant Secrets with AWS Secrets Manager
akuzminsky
28 views
15 slides
Oct 17, 2024
Slide 1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Presentation
AWS Secrets Manager, combined with IAM, offers a powerful framework for managing and controlling access to sensitive information. In this talk, I’ll walk through configuring secrets to meet compliance requirements for certifications like ISO 27001, SOC 2, and others.
Slide Content
Compliant Secrets
How to implement with AWS Secrets Manager
How to implement with AWS Secrets Manager
Who can read secret?
ISO 27001 (and SOC2, PCI-DSS, SOX) requirements overview
●Access control. Must be approved, Minimum necessary rights.
●Inventory management: label information.
●Access rights review
●Encryption
●Access logging
●Off-region backups
ISO 27001 (and SOC2, PCI-DSS, SOX) requirements overview
●Access control. Must be approved, Minimum necessary rights.
●Inventory management: label information.
●Access rights review
●Encryption
●Access logging
●Off-region backups
AWS Secrets Manager
●IAM access control
●Encryption rest/transit
●Rotation
●Replication
●IAM access control
●Encryption rest/transit
●Rotation
●Replication
Policy evaluation logic
Policy evaluation logic
Who has permissions
●The explicit DENY overrides everything else and blocks the action.
●The explicit ALLOW grants the action
● Implicit deny
●The explicit DENY overrides everything else and blocks the action.
●The explicit ALLOW grants the action
● Implicit deny
Identity or Resource policy?
Role A
Role B
Role C
Secret
GetSecretValue
GetSecretValue
GetSecretValue
Role A
Role B
Role C
Secret
GetSecretValue
GetSecretValue
GetSecretValue
Read, Write, Admin permissions
secretsmanager:BatchGetSecretValue
secretsmanager:ListSecrets
secretsmanager:DescribeSecret
secretsmanager:GetSecretValue
secretsmanager:GetRandomPassword
secretsmanager:ListSecretVersionIds
secretsmanager:GetResourcePolicy
secretsmanager:PutSecretValue
secretsmanager:CancelRotateSecret
secretsmanager:UpdateSecret
secretsmanager:RestoreSecret
secretsmanager:RotateSecret
secretsmanager:UpdateSecretVersionStage
Read Write
secretsmanager:BatchGetSecretValue
secretsmanager:ListSecrets
secretsmanager:DescribeSecret
secretsmanager:GetSecretValue
secretsmanager:GetRandomPassword
secretsmanager:ListSecretVersionIds
secretsmanager:GetResourcePolicy
secretsmanager:PutSecretValue
secretsmanager:CancelRotateSecret
secretsmanager:UpdateSecret
secretsmanager:RestoreSecret
secretsmanager:RotateSecret
secretsmanager:UpdateSecretVersionStage
Read Write
Rules for Admin
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::493370826424:role/admin"
},
"Action" : "*",
"Resource" : "*"
}
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::493370826424:role/admin"
},
"Action" : "*",
"Resource" : "*"
}
Rules for Writer
[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer "
},
"Action": [
"secretsmanager:PutSecretValue" ,
...
],
"Resource": "*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer "
},
"Action": [
"secretsmanager:DeleteSecret" ,
...
],
"Resource": "*"
}
]
[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer "
},
"Action": [
"secretsmanager:PutSecretValue" ,
...
],
"Resource": "*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer "
},
"Action": [
"secretsmanager:DeleteSecret" ,
...
],
"Resource": "*"
}
]
Rules for Reader
[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer"
},
"Action": [
"secretsmanager:GetSecretValue",
...
],
"Resource": "*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer"
},
"Action": [
"secretsmanager:PutSecretValue",
...
],
"Resource": "*"
}
]
[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer"
},
"Action": [
"secretsmanager:GetSecretValue",
...
],
"Resource": "*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::493370826424:role/writer"
},
"Action": [
"secretsmanager:PutSecretValue",
...
],
"Resource": "*"
}
]
Rules for Others
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::493370826424:role/admin" ,
"arn:aws:iam::493370826424:role/writer" ,
"arn:aws:iam::493370826424:role/reader"
]
}
}
}
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::493370826424:role/admin" ,
"arn:aws:iam::493370826424:role/writer" ,
"arn:aws:iam::493370826424:role/reader"
]
}
}
}
InfraHouse: terraform-aws-secret
module "smtp_credentials" {
source = "infrahouse/secret/aws"
version = "0.6.0"
secret_description = "SMTP credentials for Postfix smarthost"
secret_name_prefix = "smtp_credentials"
environment = var.environment
secret_value = jsonencode(
{
user : aws_iam_access_key.emailer. id,
password : aws_iam_access_key.emailer. ses_smtp_password_v4
}
)
readers = [
module.jumphost.jumphost_role_arn,
module.mail_twindb_com.instance_role_arn,
]
}
https://registry.terraform.io/namespaces/infrahouse
module "smtp_credentials" {
source = "infrahouse/secret/aws"
version = "0.6.0"
secret_description = "SMTP credentials for Postfix smarthost"
secret_name_prefix = "smtp_credentials"
environment = var.environment
secret_value = jsonencode(
{
user : aws_iam_access_key.emailer. id,
password : aws_iam_access_key.emailer. ses_smtp_password_v4
}
)
readers = [
module.jumphost.jumphost_role_arn,
module.mail_twindb_com.instance_role_arn,
]
}
https://registry.terraform.io/namespaces/infrahouse
Testing Terraform Module
def test_module_no_access(probe_role, secretsmanager_client):
with terraform_apply(
terraform_module_dir,
destroy_after=DESTROY_AFTER,
json_output=True,
enable_trace=TRACE_TERRAFORM,
) as tf_output:
LOG.info("%s", json.dumps(tf_output, indent=4))
sm_client = get_secretsmanager_client_by_role(probe_role[ "role_arn"]["value"])
with pytest.raises(ClientError) as err:
sm_client.get_secret_value(
SecretId="foo",
)
assert err.type is ClientError
assert err.value.response["Error"]["Code"] == "AccessDeniedException"
def test_module_no_access(probe_role, secretsmanager_client):
with terraform_apply(
terraform_module_dir,
destroy_after=DESTROY_AFTER,
json_output=True,
enable_trace=TRACE_TERRAFORM,
) as tf_output:
LOG.info("%s", json.dumps(tf_output, indent=4))
sm_client = get_secretsmanager_client_by_role(probe_role[ "role_arn"]["value"])
with pytest.raises(ClientError) as err:
sm_client.get_secret_value(
SecretId="foo",
)
assert err.type is ClientError
assert err.value.response["Error"]["Code"] == "AccessDeniedException"
https://infrahouse.com/posts/2024-09-29-compliant-secrets/
Slides
Slides
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 28
- Slides 15
- Age 411 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views