Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Day 2 operations with Boundary and Vault

Rosemary Wang
June 06, 2024
Technology
0
14

Secure Day 2 operations with Boundary and Vault

Originally presented at HashiDays: Munich.

Your application developers and platform engineers need to log into machines and services for Day 2 operations, like break glass fixes and manual application testing. In this session, Rosemary shows how systems of record in Terraform, Vault, and Boundary can help secure and facilitate access to machines and services.

Rosemary Wang

June 06, 2024
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
49
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
26
From Cloud-Hosted to Cloud-Native
joatmon08
0
50
Refactoring Applications for Dynamic Secrets
joatmon08
1
37
Catching Commits to Secure Infrastructure as Code
joatmon08
1
48

Other Decks in Technology

See All in Technology
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
Shift-from-React-to-Vue
calm1205
3
1.3k
ABEMA のコンテンツ制作を最適化!生成 AI x クラウド映像編集システム / abema-ai-editor
cyberagentdevelopers
PRO
1
180
10分でわかるfreeeのQA
freee
1
3.4k
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
150
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
220
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
590

Featured

See All Featured
Music & Morning Musume
bryan
46
6.1k
Code Reviewing Like a Champion
maltzj
519
39k
Designing the Hi-DPI Web
ddemaree
280
34k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Building Your Own Lightsaber
phodgson
102
6k
Six Lessons from altMBA
skipperchong
26
3.5k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k

Transcript

  1. ©2024 HASHICORP 1 Infrastructure as code Production infrastructure

  2. ©2024 HASHICORP Platform teams AppDev teams Cloud services 2 Lifecycle

    management Day 0 & 1 - Automated Day 2 - Manual? As code? INFRASTRUCTURE & SECURITY

  3. ©2024 HASHICORP 3

  4. ©2024 HASHICORP Chief Developer Advocate HashiCorp she/her @joatmon08 Rosemary Wang

  5. ©2024 HASHICORP 5 Who is accessing the production system? Authentication

    Secure Day 2 operations What do they have access to? Authorization When and what changes were made to production? Audit

  6. ©2024 HASHICORP 6 “…an information storage and retrieval system that

    can serve as an authoritative source of truth.” business.adobe.com/blog/basics/systems-of-record

  7. ©2024 HASHICORP 7 Machines Endpoints Infrastructure Credentials Certificates Encryption Keys

    Secrets Users Identity Systems of record

  8. ©2024 HASHICORP 8 Infrastructure as code Production infrastructure Secrets Credentials

    to access services Infrastructure resources and policies User access to targets

  9. ©2024 HASHICORP 9 Infrastructure as code Production infrastructure Secrets Store

    SSH key pair in KV secrets engine Create SSH key pair & VM Identify platform engineers who can access VMs

  10. ©2024 HASHICORP 10 github.com/joatmon08/ hashicorp-stack-demoapp

  11. ©2024 HASHICORP 11

  12. ©2024 HASHICORP 12 Infrastructure as code Production infrastructure Secrets Store

    SSH key pair in KV secrets engine Create SSH key pair & VM Identify platform engineers who can access VMs Use session recording to reconcile automation

  13. ©2024 HASHICORP 13

  14. ©2024 HASHICORP 14 Infrastructure as code Production infrastructure Secrets Generate

    dynamic database username and password Create database & configure secrets engine Identify admins or developers who can access database

  15. ©2024 HASHICORP 15 github.com/joatmon08/ terraform-aws-postgres

  16. ©2024 HASHICORP 16

  17. ©2024 HASHICORP 17

  18. ©2024 HASHICORP 18 Who is accessing the production system? Authentication

    Secure Day 2 operations What do they have access to? Authorization When and what changes were made to production? Audit

  19. ©2024 HASHICORP 19 Integrate and use data to authorize and

    audit Establish systems of record Summary Configure just-in-time access to production as needed Generate just-in-time production access Assess recurring Day 2 operations that can be automated Reconcile automation

  20. ©2024 HASHICORP Rosemary Wang @joatmon08 joatmon08.com Thank you!