HashiCorp at re:Inforce: Advancing Security Lifecycle Management with AWS

AWS re:Inforce is an immersive cloud security learning event kicking off Monday, June 16, in Philadelphia. HashiCorp once again has a major presence at the event, including breakout sessions, expert talks, and product demos.

At re:Inforce, we are sharing the recent launches of Security Lifecycle Management (SLM) products and features that further reduce security risks and dramatically improve the user experiences in AWS for developers, SecOps, and platform teams.

Recent HashiCorp/AWS security developments include:

• HCP Vault Radar: Discover, remediate, and prevent unmanaged secrets
• Bring your own DNS for HCP Vault Dedicated (Beta)
• Automated root credential rotation with Vault
• Prewritten Sentinel policies for AWS for infrastructure compliance
• Terraform ephemeral resources: Secure by design
• re:Inforce speaking session: Scaling Cloud Compliance & Governance with Terraform & AWS

»HCP Vault Radar: Discover, remediate, and prevent unmanaged secrets

HCP Vault Radar, now generally available, helps teams identify and eliminate secrets sprawl by continuously scanning for hard-coded credentials across source code and collaboration platforms such as GitHub, Confluence, and Jira. Radar supports:

• Discovering secrets with pattern matching and entropy analysis
• Remediating issues via secure Vault import or guided best practices
• Preventing new exposures via pull-request scans and CI/CD integrations

These capabilities help prevent credential leaks, ensure compliance, and give security teams visibility into unmanaged risk across the codebase. Read AWS’s blog, Prevent Secret Sprawl with HCP Vault Radar, to learn how HCPVault Radar can help organizations address the challenges around secret sprawl and bring visibility into the both managed and unmanaged secrets distributed across your organization’s data sources.

»Bring your own DNS for HCP Vault Dedicated (Beta)

Many customers using Vault’s cloud offering want to keep network traffic within isolated or private networks. Now users can connect HCP Vault Dedicated to private systems within AWS through this beta launch. The bring your own DNS feature allows the HashiCorp Virtual Network (HVN) to resolve private endpoints using forwarding rules for DNS resolution queries.

Configuring private DNS servers in AWS to allow resolution from an HVN enables teams to reduce their overall risk profile by ensuring that Vault service names are only resolvable within a private network. This reduces exposure of sensitive services to the internet and prevents potential DNS-based attacks. This feature also allows DNS queries to be logged and monitored centrally, which helps teams retain control over name resolution logs.

»Automated root credential rotation with Vault for AWS auth methods

Vault now provides a centralized plug-in rotation mechanism to automate the rotation of root credentials for AWS auth methods and secret engines, along with LDAP and database plugins.

By creating a centralized rotation manager, similar to Vault’s lease manager, Vault provides an easy and standardized way to add automated rotation of root credentials to plugins.

Customers can regularly rotate credentials, mitigating the risks associated with static secrets and reducing manual interventions. This reduces management burden and helps customers meet compliance and regulatory requirements.

»Terraform adds new pre-written Sentinel policies for AWS Foundational Security Best Practices

Building on our recent release of pre-written Sentinel policies for Center for Internet Security (CIS) standards, we’re proud to announce the release of a new set of pre-written Sentinel policies for AWS. These new policy sets aim to lower the barrier of adoption for policy as code and help organizations meet AWS Foundational Best Security Practices (FSBP). The FSBP Sentinel policies are co-created and co-owned by HashiCorp and AWS, and are now available for use in the Terraform registry.

These policy sets aim to provide a turnkey solution to complex governance challenges and empower organizations to move faster without trade-offs between speed and security. This joint effort highlights the unique value of pairing AWS’s cloud infrastructure with HashiCorp’s automation and security capabilities.

»Terraform ephemeral resources: Secure by design

Ephemeral resources are Terraform resources that are essentially temporary. They are responsible for reading data from a source such as AWS Secrets Manager, or opening a connection, and their attributes can be referenced in other places without persisting anything to the Terraform plan artifact or state file.

It’s important to note that ephemeral resources require all their dependencies to exist because they always run during both the plan and apply stages. If an ephemeral resource attempts to read a secret from a secrets manager that doesn’t exist, it will result in an error. However, Terraform can defer the execution of an ephemeral resource to the apply stage if one of its input arguments references a value that is not yet known at the plan stage but will be determined during apply.

»Scaling Cloud Compliance & Governance with Terraform & AWS

If you’re attending AWS re:Inforce, please stop by our booth (#1139) to chat with our technical experts, take in a product demo, and learn how companies like yours are accelerating their cloud journey with HashiCorp and AWS. Join us at the following events:

On Monday, join us for an evening at Harper's Garden for light bites, beers on draft, garden cocktails and cool extras like HashiCorp swag, aura headshots, and trivia with prizes. Join us for a brief presentation with AWS: Shift Left and Scale: Automate AWS Governance and Compliance. Register here.

On Tuesday, join us for a lightning talk at re:Inforce covering how policy as code helps enterprises reduce manual enforcement of security policies and simplifies audits with automated tracking and reporting. Please join HashiCorp for: Scaling Cloud Compliance & Governance with Terraform & AWS (Session ID: GRC121-S) on Tuesday, June 17 at 12:30 p.m. ET.

If you can’t make it to re:Inforce this year, we invite you to join HashiCorp and AWS for a webinar, Strengthen AWS Infrastructure Security with Sentinel in Terraform on Wednesday, July 23 — 1 p.m. ET. Register here.