AWS Secrets Engine Lab

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours 53 minutes
Video Transcription
Welcome back to the vault training. In this video, we will doing a lab activity using the AWS secrets engine,
so that's gonna bring with it a prerequisite. However, you're gonna need to set up an AWS account before you proceed.
If you need the free tier, you can find the link to the sign up page on the get hub for this particular lesson in the lab materials once you have your AWS account in hand,
first things were going to do is to set up an APP account in AWS for vault. Then we're gonna bind your local vault development server to that account so that it connect with AWS and issue certain commands.
Then we're going to exercise this AWS Secrets engine and see how vault itself generates additional AWS accounts and provides us with the access keys.
And finally, we're going to examine the impact off getting rid of one of those accounts in vault of revoking the account itself and evaluate the implications that it has on AWS. So we're going to start out on the home screen of the AWS management console. You're going to navigate 2 a.m.
because we now want to create the account. That vault is gonna act us.
Let's go to users. You may have users. I do not. We're gonna call this account the vault account.
It's gonna need programmatic access, but it doesn't need access to the council.
Instead of going through and setting up groups and creating all sorts of specific custom permissions,
I'm going to use some of the default permissions that AWS has.
However, if you're doing this in a production capacity, you're gonna want to review vaults documentation for the AWS Secrets engine. And in there they have a very specific policy set that if you want to go ahead and create a custom policy, this is what the vault account needs the ability to do in AWS.
And it's pretty much limited to just this
for a particular example. However, I'm going to give it a few more capabilities by signing at the A w. Excuse me that I am full access policy
worried about tags.
Let's go ahead and create the user.
Now I need to make sure to get a hold of the access keys. So we're gonna copy this off to a note pad somewhere,
and also we're gonna grab the access key.
So what? That complete. Let's hop over to our local computer
and fire up the vault Dev server.
And I'm just gonna copy off the route token as well.
Okay. And let's get used involved. Vault secrets list to see the different secrets cubbyhole, identity, secret, and then system.
We want to use the AWS secrets engine. So the first thing we need to do is enabled that secrets bolt secrets enable
Dash Just say aws course I could go a dash path if I wanted to give it a different path to this secrets engine. But I'm just gonna mounted at the AWS location.
And sure enough, there it is.
Okay. With secrets engine now enabled, we need to set up with secrets engine in such a way that when a talk stay w s, it uses the access keys associated with the vault account we just created through the web Consul in AWS. In order to do this, I'm going to be making call a right operation
of the eight of us config route
information path.
Just as a quick side note, if you are interested in all the nuances in different paths when communicating with the AWS Secrets engine, you can find all that documentation on the hash corpse site. There's an eight AWS engine ap I page that lists out all the different things. We're not gonna cover that in its entirety,
but we are going to use a few of those commands.
So getting back to this AWS CONFIG route, we want to pass it one key parameter for the access key. This is the access key of the account we just created. So go ahead and copy and paste that
and then we're gonna set up another parameter. We'll call it the Secrets key.
This, of course, being the secret key associated with the account that we saved off to our note pad on the side and then last will specify a parameter to just indicate the default region
when vault is interacting with eight of us that various resource is should
be correlated with
and success so that has now been written. Now we need to set up the AWS secrets engine in such a way that when it creates user accounts, it also assigns a certain permission set with him, or it assigns that account of role And in order to do that, we're going to actually be
specifying a AWS policy.
I'm not gonna get into the details, but included in the repository for this training account, you'll find that we have an easy to dash policy file, little Jason file and effectively you can review it. It's providing the account with all sorts of rights and permissions when it comes to easy to resource is.
So let's go ahead and write that file fault AWS called roles and we're gonna give this role in name. We're gonna call it the easy to admin role credential
type is going to be I am user
and the policy document.
We're just gonna pointed to our file
now in the same working directory of the repository that coincides with this module of the training
and success.
So let's give this a shot and call the AWS secrets engine,
see if it can return us access keys for an AWS account that itself is going to generate.
We're gonna call for some credentials
and we want the role of this account to be associated with EEC to admin policy that we just created.
And there we are. So we have now been not given. Ah, vault token, right? We already have that. But we have access keys that allow us to interact with AWS and has a least direction of 768 hours. Now. I could change the configuration and reduce the default leaf least duration if I wanted to
and make thes credentials expire
more frequently and require rotation by the various consuming services that are relying on vault. To obtain these in the first place,
it's up back over to the Web browser and see if we can observe what just happened. So this was the account we created. But this was created by vault itself. So very interesting. Just taking a moment digging in,
we can see Here we go. The permissions EEC to admin was directly attached policy. And if we go over to the security credentials tab, we can see the access key that was just created by vault. So from this point, if we had other processes that wanted to read and interact with AWS,
they could provide these keys and do so
In this circumstance. Let's say there was a problem. We saw some anomalous behavior of, however, this account was being used and we want to go ahead and we want to revoke this particular access key. So we're gonna tell vault a go ahead in revoke this PC to admin account that you created,
but we need to let it know what was the i d off this particular one which is listed up here, right that the least i d
and I'm gonna bring that down
and to diet has successfully revoked the access keys and the account. Let's toggle back over to the browser
It a little refresh and sure enough, the account is gone and that covers it for this lab activity. Just to recap, we created a vault user in AWS. We configured our local death server to talk to AWS as that vault user. We then did some additional configurations of the eight of us secrets engine.
We generated a user account. We saw the access keys that vault provided to us.
We observed that it existed in AWS. We would then revoked the idea of that particular access account that fault generated. And sure enough, the account itself was also removed in AWS
Up Next