Ahead of re:Inforce: Security in the Cloud Operating Model with AWS and HashiCorp
»Secure AWS Environments with Vault
As companies move to the cloud with AWS, the security layer transitions from a fundamentally high-trust world enforced by a strong perimeter and firewall to a low-trust environment with no clear or static perimeter. As a result, the foundational assumption for IT needs to shift from securing based on IP address to using identity to restrict and safeguard access to resources and sensitive information. HashiCorp Vault helps bridge the gap and enables a seamless transition with AWS and will be discussing potential approaches at AWS re:Inforce next week. If you have additional questions on the information in this blog, stop by the HashiCorp booth at re:Inforce, booth 844.
Typically business will want to solve two challenges in this shift: Centralized Secrets Management and Encryption as a Service. For AWS customers, HashiCorp Vault solves for these challenges through a number of specific AWS integrations.
»Secrets Engine
Leveraging dynamic secrets reduces the risk of a breach occurring as a result of credentials falling into the wrong hands. Vault offers a dedicated AWS secrets engine for generating EC2/IAM credentials on demand. These credentials can be pre-configured to be used for specific AWS services and then expire after a given interval. More details: https://www.vaultproject.io/docs/secrets/aws/index.html
»Authentication Method
Generating dynamic credentials greatly reduces the risk of applications being attacked, especially when using single-use tokens. Vault can automate this process through the EC2/IAM auth method. This enables Vault to generate tokens based on a specified role which are then used to facilitate access to various systems. More details: (https://www.vaultproject.io/docs/auth/aws.html).
»Data Encryption
Encryption can solve the risk to data in motion and at rest to an extent, but trusting application developers to properly encrypt and decrypt data could lead to gaps in security. HashiCorp Vault addresses this by encrypting and decrypting data for developers via the transit secrets engine. More details: https://www.vaultproject.io/docs/secrets/transit/index.html)
HashiCorp is a sponsor at this year's AWS re:Inforce in Boston. Our team will be there to provide insights and answer questions about how Vault helps enterprises solve security in AWS environments. We look forward to seeing you at booth 844.
To learn more about HashiCorp's approach to security in the Cloud Operating Model, please read this whitepaper: https://www.hashicorp.com/cloud-operating-model
For more information about HashiCorp Vault, please visit the Vault product page.
Sign up for the latest HashiCorp news
More blog posts like this one
How secret scanning works
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync now available on Vault Enterprise to manage secrets sprawl
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.
A blueprint for cloud success with HashiCorp at Google Cloud Next
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.