Ep1: What is AWS secret manager? | AWS Secrets Manager from zero to hero

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone welcome to hecka Tech playground this is a pilot episode of my youtube channel and I hope you will enjoy all of my videos about application security cloud DevOps and hacking I will try to bring you the best from what I know and give back to the community today we will talk about secret management secret management is pretty impressive stuff because solve problem with Hockley credentials or hard-coded sensitive information in your configuration files which are very interesting for hackers when they get into your system they are trying to steal this information to do the lateral movement over your environment and this is pretty impressive so to avoid of storing of this subtle different formation you will use a SS ticket management or technical world or any other secret management what this episode and next episode is a battle between AWS secret manager and heavy core vault I hope that you will enjoy it episode 1 secret management battle between a SS secret manager and Hachiko evolved here we are in AWS management console so let's go to a double a secret minute where can we find it it's behind security identity in compliance secret manager is hidden there so you need a little bit look for that so let's go to the secret manager you can see that there are some related services and pricing pricing is 40 cents for a secret per bond but you can have 30 days trial for free which are recommend to you to use so let's go and create a new secret new secrets can be created for different platforms for different relational database services for the command a DB for the redshift cluster for another crew databases or for your api's and it you can basically use it pretty find databases like MySQL post we SQL SQL Server you just need to specify the server port database name and IP address if you want to Brad your secret for API key you can do it by a GUI or you can do it with your plain text which is in Jason so if you are fan or GUI we can do it in GUI if you like to make it more hardcore you can and you can modify directly the raw data in Jason you can specify the encryption key which is important part which is to write one but access rights to and then let's create some credentials for ideas I will choose my Hickey dict account which are already created for my head of giving negative database which is MySQL database available publicly to my services and I fully access to it so let's click Next and specify the secret name Hecky tag secret and description is my first secret and it's not really my first secret and you can also specify the tax write this not really and key you can specify the environment like development production and staging blue-green depends on you you can even specify the billing centers the teams which are managing the database or secret so it's it's perfect for you and you can also specify lots of detail in the next steps like automatic rotation from 30 to 365 days which is pretty amazing and you can also say if you want to use lambda which already exists for a rotation of a secret or you won't create a new one I will create a new one my secret lambda hack attacked and I will use it for rotating my secrets in AWS secret manager it basically launched lambda with CloudFormation template which we will show each other in this demo and see Africa the 30 days in but it's the review let's check the review if you didn't forget anything and if you need to use the secret in one of these languages Java JavaScript Python you can just copy paste the code I will show you more details about the bottle tree at a usage of boto tree library and i'm sure that you will like it now we are waiting for secret being spin out and being ready to use you see acadec secret is still being configured and it is here so you can add new tags you see here we can basically specify new tags and change the purpose to the Bass Pro and the tag will be updated the change is immediate so you can bet if you use it as you want your secret you can retrieve the secret you can rotate it immediately so you can have forth or you can cheat or disable that completely and you have single and multi user rotation enabled for the databases see the changes are pretty simple managing a double secret manager is very very user friendly and you don't need to be technically skilled to manage your secrets for your databases let's go to the cloud formation cloud formation is a common language for AWS resources modeling and provisioning all of these resources usually written in JSON origami let's go to the cloud formation and check the stack which was created for our lambda which is serverless you can see that the secret manager RDS MySQL rotation for a single user was created and we can see all the stacking for events which are attached to this cloud formation templates or outputs and the tip template itself you can switch between Jason and Bill to IMO it really depends if you like Moriyama or jason so it's up to you let's go to the designer which is a tool for viewing creating and modifying CloudFormation template it's CloudFormation template created for us a secret manager role secret manager function I mean the lambda function and lambda permission to get the secret and decrypt it so let's take a look at the London function which was created by a flower formation for us let's go to services melanda is hidden behind compute you have different around r3 over to talk about that check the compute it's the first one and you can find out lambda so go to lambda functions and find our secret lambda a connect and you can see lambda layers you can have different letters for the different libraries which allows you to layer your code you see the permissions for the lambda you have resource base bullets in function policy which helps you to define basically which resource can invoke the London and what lambda can do so you see here the resource resource base policy lambda can be invoked by the secret miniature and the permissions that lambda ass means to decrypt and get the secret then you can check also the code of the lambda which is provided to us out of the books so if you don't trust the code provide it to you for my double ass you can just check it here you can change it you can shape it to your needs so if you change some bits on the rotation we are free to go by yourself you can also see the tax stacks are created automatically for us you can see the vp c which is attached to the lambda so you need to have actually access to lambda for example from your ideas database if you are wanting if you're willing to to use it from database and you can also add some destination like you can send it specific destination so everything is up to you you can change also the runtime you can publish new versions you can you can create analysis and see in the screen so it's very simple and it's automated deployment of service function for us if you will pick up the layers to see that we don't have any layers added so that's how I get it and if we will go to monitoring you can see all the monitoring related to their lambda it takes some time to load and you can go basically to do cloud watch locks open the logs and see everything what is happening with your lambda all the status is attached to your lambda service and if you fail because I already felt with it my lambda before you will see it and you will see what is happening in every step of lambda Rama you see how much time the task takes to execute so you can see how much how much you will basically pay what will be your cost and you can see also the group locks so you see that in your log groups there is a specific law group for our lambda and that's pretty all you need to know for our lambda rotation was recreated to another process of creating the secrets you can delete the secret with the scheduling mechanism you can schedule the deletion from 7 to 25 days then you just need to wait after a secret is scheduled for deletion it shouldn't be available for you anymore so if you will go to the list of the secrets you will not see your secret anymore don't be surprised it's just because it's scheduled for division it shouldn't be accessible for you I created for us and for our session today new API key a cubic API key which we will use with the connectivity to biotin boto tree library it's perfect in Python 3 and we will play with that a little bit with visual studio code we will have lots of fun with coding it's just a small piece of the code but I still hope that everyone will enjoy forgetting the secret code and it's a good the basic code for getting your secret and getting the value of the secret you need to copy paste the code for item tree as you see here you can use another languages but I'm more fan of the Python tree so let's go over the Python we will get a bit hands dirty so install Visual Studio go with the Python limiter and run code and let's go for it here we are in Visual Studio code as I said already coroner and Bible mentor are available I love this plugin I recommend them to you I will copy paste code which I get from AWS the secret name is already pretty fine for us even the region so we don't need to do many changes in the variables in the code you see that the method I'll forget is a get secret it is not everything which will allow us to get the value of the stream to get the value of the secret we need to write our own code see there is nothing that we can do much with this method so let's give it some improvements now let's define a new variable my secret and we will need to assign to this variable the value of get my secret value from bottle free library from clients client get secret value is the method which we will use Smetana's treatment parameters you can use the secret ID you can use the version you can use the stage so depends on you Alfred for simplifying I will use just to save it I do so the secret ID equals secret name which we already get in the code and our printed so print I have I were to write a metal so plain street my secret now we will call the method get secret places secret and when you get the output of this method you will be not satisfied with our tool because it's really hardly readable so let's do small alignments fuel so let's do some small alignments for our purpose is to make it more readable we will use to libraries it's Jason and Jason pickle to smooth and polished or bullet we get from AWS as you see here the output is not like the readable so we need to do something with that for some people is okay but I like to make it more perfect so use a JSON library we will need to import new libraries import JSON and import JSON pickle these two libraries are needed for those two little bits smooth the JSON output of the chart getting Jason dump I hope that you are getting what I'm writing Jason loads it's a small workaround that we need to do here to make it really great because there's some problem with the date time it's not easily soluble so Jason loves Jason pickle encode my secret and then we need to add some more stuff races and indent will be one with sort true because we want to sort the keys sort keys so true and past and writing and complete the print now run the code and you should get the smooth output and easy to read as you see we get the headers we get keep lives we get the content type we get the secret and the plaintext decrypted we see the version and we see the version stages which is a double as current so we get the current version of the secret in our terminal and you can do it with your software also and that's all for today thank you for watching the video I hope that you enjoy the content just to sum up what we see today it's all about a double secret manager which is providing that means that this is managed by a table as you get cloud formation scripts which create a rotation lambda for you and it provides lots of interesting features in context of Hachiko world which is fully managed by you it's slightly different so if you enjoyed my video please hit the subscribe or like it it motivates me to create more videos for you and I'm looking forward for you bye bye
Info
Channel: Hackitect's playground
Views: 1,510
Rating: undefined out of 5
Keywords: aws, devops, devsecops, hackitect, cybersecurity, coding, python, appsec, security, vault, cloud, itsecurity, secrets, management, saas, marek, Å¡ottl, AWS, DevOps, DevSecOps, training, tutorial, demo, boto3
Id: ekkiO6Rrhhw
Channel Id: undefined
Length: 15min 43sec (943 seconds)
Published: Thu May 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.