» Secure AWS Environments with Vault
As companies move to the cloud with AWS, the security layer transitions from a fundamentally high-trust world enforced by a strong perimeter and firewall to a low-trust environment with no clear or static perimeter. As a result, the foundational assumption for IT needs to shift from securing based on IP address to using identity to restrict and safeguard access to resources and sensitive information. HashiCorp Vault helps bridge the gap and enables a seamless transition with AWS and will be discussing potential approaches at AWS re:Inforce next week. If you have additional questions on the information in this blog, stop by the HashiCorp booth at re:Inforce, booth 844.
Typically business will want to solve two challenges in this shift: Centralized Secrets Management and Encryption as a Service. For AWS customers, HashiCorp Vault solves for these challenges through a number of specific AWS integrations.
» Secrets Engine
Leveraging dynamic secrets reduces the risk of a breach occurring as a result of credentials falling into the wrong hands. Vault offers a dedicated AWS
secrets engine for generating EC2/IAM credentials on demand. These credentials can be pre-configured to be used for specific AWS services and then expire after a given interval. More details: https://www.vaultproject.io/docs/secrets/aws/index.html
» Authentication Method
Generating dynamic credentials greatly reduces the risk of applications being attacked, especially when using single-use tokens. Vault can automate this process through the EC2/IAM
auth method. This enables Vault to generate tokens based on a specified role which are then used to facilitate access to various systems. More details: (https://www.vaultproject.io/docs/auth/aws.html).
» Data Encryption
Encryption can solve the risk to data in motion and at rest to an extent, but trusting application developers to properly encrypt and decrypt data could lead to gaps in security. HashiCorp Vault addresses this by encrypting and decrypting data for developers via the
transit secrets engine. More details: https://www.vaultproject.io/docs/secrets/transit/index.html)
HashiCorp is a sponsor at this year's AWS re:Inforce in Boston. Our team will be there to provide insights and answer questions about how Vault helps enterprises solve security in AWS environments. We look forward to seeing you at booth 844.
To learn more about HashiCorp's approach to security in the Cloud Operating Model, please read this whitepaper: https://www.hashicorp.com/cloud-operating-model
For more information about HashiCorp Vault, please visit the Vault product page.