re:Invent Roundup: HashiCorp Zero Trust Security and More with AWS

AWS re:Invent is in full swing this week in Las Vegas. HashiCorp has a big presence at the event, with breakout sessions, expert talks, and product demos. As AWS re:Invent dominates the tech headlines, we wanted to reflect on our current project collaborations with AWS and the state of HashiCorp security and networking initiatives with AWS. That includes securing workloads in EKS with HashiCorp Vault, Vault Lambda Extension Caching, Vault + AWS XKS, updates on HashiCorp Consul on AWS, and more.

»HashiCorp and AWS Security

HashiCorp Vault provides the foundation for modern cloud security. Vault was purpose-built in the cloud era to authenticate and access multiple clouds, systems, and endpoints, and to centrally store, access, and deploy secrets (API keys, credentials, etc.). It also provides a simple workflow to encrypt data in flight and at rest. Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity. With Vault and the HashiCorp model around zero trust security, organizations can manage their transition to AWS while maintaining the level of security they need — one that trusts nothing and authenticates and authorizes everything.

Specific HashiCorp-AWS security developments in the last year include:

»HashiCorp and AWS Secure Workloads in EKS with Vault

HashiCorp partnered with AWS to make it easier to use Vault, our enterprise secrets management solution, on AWS. The launch of EKS Blueprints with AWS allows you to enable and start up Vault instances in Amazon Elastic Kubernetes Service (EKS). EKS Blueprints is a new open source project that aims to make it easier and faster for customers to adopt EKS.

As part of the EKS Blueprints launch, AWS and HashiCorp partnered to build an add-on repository that lets you enable and start up Vault instances in Kubernetes. The add-on also makes it faster and easier to start the Vault instance inside EKS; you can access Vault in EKS with one command.

»Vault Lambda Extension Caching

With the arrival of the Vault AWS Lambda extension in 2020, practitioners who had standardized on HashiCorp Vault for secrets management and AWS Lambda as their serverless compute environment no longer had to make their Lambda functions Vault-aware. The extension retrieves the specified secret from a Vault cluster and presents it to the Lambda function.

This year we announced a new caching feature that can be added to Lambda and Vault infrastructure: Vault Lambda extension caching. This extension can cache the tokens and leased secrets proxied through the agent, including the auto-auth token. This allows for easier access to Vault secrets for edge applications, reduces the I/O burden for basic secrets access for Vault clusters, and allows for secure local access to leased secrets for the life of a valid token.

»Vault + AWS XKS

AWS External Key Store (XKS) is a new capability in AWS Key Management Service (AWS KMS) that allows customers to protect their data in AWS using cryptographic keys held inside on-premises hardware security modules (HSMs), software security modules (SSMs) like Vault, or other key managers outside of AWS. This integration mimics existing support for AWS CloudHSM within KMS, except that the customer-controlled key manager resides outside of an AWS datacenter.

For regulatory and compliance reasons, some enterprises have a need to move their encryption key material and encryption operators completely outside of AWS infrastructure. When Vault is running outside of AWS infrastructure, it can effectively serve as a software security module (SSM) to store and manage this root of trust for a customer’s AWS account.

For a more detailed overview of the external key store capabilities, please see the External Key Store (XKS) announcement on the AWS News Blog.

»HashiCorp Boundary at AWS re:Inforce

Earlier this year at AWS’ security conference, AWS re:inforce, HashiCorp presented a new way to safeguard who and what has access to applications, systems, and endpoints with the beta release of HCP Boundary.

HCP Boundary is now generally available and provides an easy way to securely access critical systems with fine-grained authorizations based on trusted identities. Boundary on the HashiCorp Cloud Platform (HCP) provides a fully managed, single workflow to securely connect to hosts and critical systems across Kubernetes clusters, cloud service catalogs, and on-premises infrastructure.

»HashiCorp Wins AWS Security Partner of the Year in North America

Amazon Web Services has named HashiCorp the winner of its Security Partner of the Year in North America award, validating HashiCorp's vision for delivering zero trust security to cloud infrastructure. The Security Partner of the Year award recognizes top partners with the AWS Security Competency and affirms HashiCorp as a partner that has proven customer success stories securing every stage of cloud adoption, from initial migration through ongoing day-to-day management.

HashiCorp is also one of the 2022 Regional and Global AWS Partner Award winners, with which AWS recognizes leaders around the globe playing a key role in helping customers drive innovation and build solutions on AWS. Announced at AWS re:Invent, the AWS Partner Awards recognize AWS partners whose business models have embraced specialization, innovation, and collaboration over the past year, and whose models continue to evolve and thrive on AWS as they work with customers.

»HashiCorp and AWS Networking

HashiCorp Consul is a cloud services networking platform that helps discover, securely connect, and improve the resiliency/visibility of services across AWS services like Amazon Elastic Cloud Compute (Amazon EC2), Amazon EKS, AWS Fargate, Amazon Elastic Container Service (Amazon ECS), and AWS Lambda. Consul enables services like these to automatically find each other, and enables secure connections between specific services according to security policies.

Specific HashiCorp-AWS networking developments in the last year include:

»Consul on AWS Updates

This year, HashiCorp Consul on Amazon ECS added support for multi-tenancy, AWS Identity and Access Management (IAM), and mesh gateways. AWS Lambda updates, which include Consul mesh services invoking AWS Lambda functions (now generally available), and AWS Lambda functions accessing Consul mesh services (in beta), help organizations interested in serverless computing remove the barrier to adoption due to the difficulty of integrating these workloads into the service mesh. This release means service mesh users can now have consistent workflows for encrypted communications flowing between mesh services and Lambda functions.

At AWS re:Invent, HashiCorp helped highlight Comcast's journey to service networking with HashiCorp Consul and AWS during a speaker session. Comcast's architecture includes multiple on-premises datacenters and cloud services, including Amazon ECS, AWS Fargate, AWS Lambda, Amazon EC2 VMs, on-premises Kubernetes, and on-premises VMs. The multinational telecommunications conglomerate adopted Consul because it flexibly supports Comcast’s cloud and on-premises workloads in multiple AWS regions, as well as the company’s own datacenters. Consul helps manage this complexity while scaling with resiliency.

»HashiCorp Consul on AWS Resources

Modern infrastructure may require that services run in different networks, runtimes, or compute solutions, such as Amazon EC2, Amazon EKS, AWS Fargate, Amazon ECS, or AWS Lambda. To support these services, HashiCorp provides tutorials and documentation on how to run Consul on Kubernetes, VMs and AWS services including Amazon ECS, and AWS Lambda. We have a large number of resources that can help you learn how to use Consul to securely connect your services on AWS:

• Get Started with Consul on Kubernetes
• Get Started with Consul on VMs
• Consul with ECS Workloads
• Consul with Lambda Workloads
• Consul Cluster Peering on Kubernetes in AWS
• Consul Learn Lab: Deploy Resilient Applications with Service Mesh and AWS Lambda

»A Cloud-Managed Zero Trust Security Solution

HashiCorp Cloud Platform (HCP) is a fully managed platform available for HashiCorp Terraform, Vault, Consul, Boundary, Waypoint, and Packer. This year, HashiCorp announced the industry’s first zero trust security solution fully deployed on the cloud, combining HCP Vault, HCP Consul, and HCP Boundary to secure applications, networks, and people, delivered on AWS.

To learn more about Vault, Boundary, or Consul, visit our product pages on HashiCorp.com and read our getting started tutorials on HashiCorp Developer.

And if you’re attending AWS re:Invent, please stop by our booth (#3410) to chat with our technical experts, take in a product demo, and learn how companies are accelerating their cloud journey with HashiCorp and AWS.