Secure
Secure
Secure
What is Secure config?
What is Secure config?
Secrets are configuration, and configuration needs to be securely managed with role-based access controls and an independent tamper-proof audit trail
Secrets are configuration, and configuration needs to be securely managed with role-based access controls and an independent tamper-proof audit trail
Why Secure config?
Why Secure config?
Protect sensitive information such as production database passwords, cloud access keys, and 3rd party API keys.
A "late-binding" approach to inject secrets and config at the optimal deploy and run time stages reduces the possibility that secrets will leak into log files.
Protect sensitive information such as production database passwords, cloud access keys, and 3rd party API keys.
A "late-binding" approach to inject secrets and config at the optimal deploy and run time stages reduces the possibility that secrets will leak into log files.
Benefits
Benefits
Role-based access control (RBAC) locks-down production secets while allowing self-service developer access to dev and staging environments.
Faster SecOps audits.
Role-based access control (RBAC) locks-down production secets while allowing self-service developer access to dev and staging environments.
Faster SecOps audits.
Examples
Examples
Tamper-proof audit trail of all config changes.
Implement a late-binding method to inject secrets into build, deploy and run-time phases.
Relying on a complex system for security is almost as big of a security risk as depending on an insecure one. It should be obvious that a secret is difficult to expose and easy to deliver to, and only to, the systems that need to use it.
Terraform generates an AWS Access Key. This secret is associated with a secret parameter key in a centralized config repository, protected with role-based access control (RBAC). The application that needs to know the AWS Access Key gets the value when its configuration is delivered via the deploy pipeline. Developers never see the access key as it is all handled through automation, with the production environment value protected by RBAC. Still, they can define the interface for the application to include that secret.
Tamper-proof audit trail of all config changes.
Implement a late-binding method to inject secrets into build, deploy and run-time phases.
Relying on a complex system for security is almost as big of a security risk as depending on an insecure one. It should be obvious that a secret is difficult to expose and easy to deliver to, and only to, the systems that need to use it.
Terraform generates an AWS Access Key. This secret is associated with a secret parameter key in a centralized config repository, protected with role-based access control (RBAC). The application that needs to know the AWS Access Key gets the value when its configuration is delivered via the deploy pipeline. Developers never see the access key as it is all handled through automation, with the production environment value protected by RBAC. Still, they can define the interface for the application to include that secret.