#ops (2018-08)

Archive: https://archive.sweetops.com/ops/

2018-08-29

Raghu avatar
Raghu
03:05:07 PM

@Raghu has joined the channel

2018-08-28

justin.dynamicd avatar
justin.dynamicd
05:18:32 PM

@justin.dynamicd has joined the channel

justin.dynamicd avatar
justin.dynamicd

It’s a bit of effort to get things like MFA/dynamic passwords pushed “down the stack” .. but oddly enough you end up with less maintenance later if you can pull it off. Well worth the journey IMO

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, also with the new push-style notifications of Okta/Duo/Google, it doesn’t annoy me as much

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’d like to get push for AWS MFA

justin.dynamicd avatar
justin.dynamicd

SAML is as close as I’ve gotten. Set your MFA there and use the SAML token to pass into AWS.

justin.dynamicd avatar
justin.dynamicd

fall back to those horrid keys they sell for your root … cause … nothing else works

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, those are the escape hatch

justin.dynamicd avatar
justin.dynamicd

then for programmatic access I’ve become a Vault fan. Let users dynamically request temporary creds, and you can gate vault with MFA as well

justin.dynamicd avatar
justin.dynamicd

so far used it with both Okta/Centrify. Not tried Duo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

vault as in hashicorp vault?

justin.dynamicd avatar
justin.dynamicd

yup

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

cool

justin.dynamicd avatar
justin.dynamicd

I keep forgetting there’s techncially lots of vaults out there …

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, and we’re big on using aws-vault (so for a second I was surprised to learn it supported Okta) - but we’re talking about another vault

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, I’ve seen that feature of hashicorp’s vault

justin.dynamicd avatar
justin.dynamicd

It’s nice. Hardest part becomes policy management … but it’s been solid on the stability front

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve just done a poc with vault. all-in-all, liked it. it was pretty simple to setup. the security architecture too was pretty sweet (the “two man rule” for unlocking vaults)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but it scared me from an operational perspective (just from lack of experience with it) - what happens if all vaults get restarted

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

if you don’t automate the unsealing, that’s a forced outage

justin.dynamicd avatar
justin.dynamicd

or pay for enterprise which can auto-unseal against an HSM

justin.dynamicd avatar
justin.dynamicd

but yeah I hear you

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

so running vault under kubernetes, we automated the unsealing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

but it felt “wrong”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

justin.dynamicd avatar
justin.dynamicd

I actually wen t full paranoid where I deployed it and did NOT use containers. It sat on instances build using packer from ther terratorm.io registry

justin.dynamicd avatar
justin.dynamicd

was too concerned about a container reshuffle causing things to happen

justin.dynamicd avatar
justin.dynamicd

but in general I don’t think ti ever went down except when I messed up a health check so the proxy “thought” it was down (oops) … so I left the unseal manual

justin.dynamicd avatar
justin.dynamicd

current place has “cyberark” in place … it’s API is horrible. Just the worst

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

i am not familiar with cyberark

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what’s that?

justin.dynamicd avatar
justin.dynamicd

similar in concept to hashicorp vault or AWS-vault … but honestly I’m not impressed so far: https://www.cyberark.com/

CyberArk: Secure Privilege. Stop Attacks | cyberark.com

CyberArk is the only security software company focused on eliminating cyber threats using insider privileges to attack the heart of the enterprise.

justin.dynamicd avatar
justin.dynamicd

it “feels” like old software, if that makes sense

2018-08-27

tolstikov avatar
tolstikov
11:16:11 AM

@tolstikov has joined the channel

loweryr avatar
loweryr
03:12:17 PM

@loweryr has joined the channel

2018-08-22

melynda.hunter avatar
melynda.hunter
04:17:52 AM

@melynda.hunter has joined the channel

    keyboard_arrow_up