Skip to main content

HashiCorp at re:Invent 2024: Security Lifecycle Management with AWS

A recap of HashiCorp security news and developments on AWS from the past year, for your security management playbook.

Amazon Web Services’ flagship cloud conference — AWS re:Invent — is back, and this year, as an Emerald sponsor, HashiCorp’s presence is bigger than ever. For both in-person and remote attendees, we’re pleased to share the latest news on our long-standing relationship with AWS and how we help organizations provision, secure, run, and connect applications running in AWS.

HashiCorp accelerates organizations’ transition to the cloud by providing lifecycle management and automation for application infrastructure. Our security portfolio includes products to protect, inspect, and connect the sensitive elements across your cloud infrastructure. As AWS re:Invent takes center stage, it’s a great moment to reflect on our major security collaborations with AWS and significant milestones from the past year.

HashiCorp and AWS have partnered together to launch several key features that strengthen our joint customers' security posture. These include dynamic secrets, auto-rotation, secrets sync, secrets scanning from HCP Vault Radar, and session recording for Boundary.

»Protect sensitive data

Organizations need to protect their cloud environments and guard sensitive data with a central system of record to reduce the risk of credential exposure. HashiCorp Vault uses identity-based security workflows and offers a system of record for sensitive information like certificates, keys, and customer data. The following announcements focus on Vault product updates:

»Dynamic secrets to generate just-in-time, short-lived credentials for AWS

Dynamic secrets are now generally available in HCP Vault Secrets, HashiCorp’s cloud-native secrets management solution. Traditional long-lived static secrets can create significant security risks if compromised. Rotating them manually often involves high coordination costs, added complexity, and potential downtime risks.

Dynamic secrets provide a secure, scalable solution by generating time-bound, on-demand credentials — reducing your attack surface and automating lifecycle management. Dynamic secrets for HCP Vault Secrets allow users to generate just-in-time, short-lived credentials for AWS using Workload Identity Federation (WIF) to provide secure access to resources at scale. By implementing dynamic secrets users minimize the risk and operational overhead associated with long-lived static credentials by automatically creating a new short-lived secret for each unique access request.

»HCP Vault Secrets adds auto rotation with AWS

HCP Vault Secrets auto-rotation, now generally available, adds an additional level of automation to an organization’s security management playbook. Teams that only use static secrets are taking on significant risks. If they let secrets live too long, threat actors have ample time to do damage if they gain access to active secrets. Teams will often set long expiry windows because there’s often a large effort involved with manual secret rotation at scale.

In HCP Vault Secrets, automated secret rotations can be set to a 30, 60, or 90-day rotation cadence, or they can be rotated on demand (for example, in a break-glass situation). Teams using HCP Vault Secrets can auto-rotate many types of secrets, including those that are used in AWS destinations. To help maintain application uptime, HCP Vault Secrets auto-rotation allows you to have two versions of each secret live at a time.

»Sync secrets with HashiCorp Vault and AWS Secrets Manager

Secrets sync helps organizations centrally manage secrets and then sync them to destinations that may already exist in their stack. Teams can use secrets sync to sync changes out to multiple external secrets managers, including AWS Secrets Manager, in multi-cloud environments to solve the challenges around isolated secrets management, compliance, and protecting expanded attack surfaces. For more information, check out how to Integrate with AWS Secrets Manager on the HashiCorp Cloud Platform (HCP).

Vault secrets sync with AWS

Sync secrets with Vault and AWS Secrets Manager.

»AWS Secrets Manager displays secrets managed via Vault

To further support secrets sync, users can now search for secrets managed by Vault in AWS Secrets Manager. In the AWS Secrets Manager console, search for secrets “Managed by: HashiCorp” to display secrets managed in Vault.

Secrets managed via HashiCorp Vault in the AWS Secrets Manager console

Secrets managed via HashiCorp Vault appear in the AWS Secrets Manager console.

»Workload Identity Federation for AWS

Vault has always included strong API and CLI support for engineering teams. However, that’s not always the most useful user experience for SecOps or those teams more focused on governance, regulation, and compliance. Vault Enterprise 1.18 continues this focus by introducing UI support for AWS WIF.

Workload Identity Federation (WIF) enables secretless configuration between Vault Enterprise and external cloud providers such as Amazon Web Services. WIF offers organizations another opportunity to limit the use of long-lived credentials and reduce risk while also limiting the need for ongoing operational maintenance and monitoring. Vault Enterprise now includes support to configure AWS WIF through the user interface. This new functionality supports security teams that prefer a more UI-driven workflow to perform Vault secrets management tasks.

»Inspect your cloud environment for security risks

Organizations can’t protect what they don’t know is vulnerable, so thorough and continuous inspection of your environment is crucial. HCP Vault Radar helps organizations detect security vulnerabilities and sensitive data that is exposed.

»Scanning secrets in AWS infrastructure using Vault Radar

HCP Vault Radar, available in public beta, automates the detection and identification of unmanaged secrets in your code, including AWS infrastructure configurations, so that security teams can take appropriate actions to remediate issues. Radar continuously scans in real-time for secrets, personally identifiable information (PII) and non-inclusive language (NIL).

Once the scanning is complete, Radar displays the unmanaged or leaked secrets detected in your code. Vault Radar’s findings are categorized by risk and severity. Engineers can also leverage HCP Vault Radar’s pre-commit and pre-receive Git functionality to ensure sensitive information like secrets and API keys are not committed to code repositories, especially when experimenting or conducting local testing of your Terraform configs. This not only protects your infrastructure from security breaches but also ensures you're following best practices. Secret scanning offers peace of mind and lets engineers focus on building and maintaining systems without worrying about exposing sensitive data.

»Connect people to machines securely with identity

Enforcing least-privilege access based on trusted identities is a key best practice. Since its inception, Boundary has provided a foundation for secure access with highly automated workflows and identity-driven controls to secure access dynamically.

»Boundary SSH session recording storage on Amazon S3

One of Boundary’s most popular features, SSH session recording, enables administrators to get insight into user actions over remote SSH sessions in order to meet various regulatory requirements for organizations, and to deter malicious behavior. One of the storage options for SSH session recording includes Amazon S3; administrators can store signed recordings into their Amazon S3 bucket and replay recordings back within the Boundary admin UI.

Learn more about SSH session recording and storing on Amazon S3 storage buckets.

»Learn more about AWS and HashiCorp

AWS and HashiCorp continue to extend our partnership, building new integrations to help customers work faster, take advantage of more services and features, and provide developer-friendly ways to deploy cloud infrastructure.

The new integrations with Vault and AWS make it even easier to adopt modern cloud security best practices by accelerating the onramp to high-maturity secrets management. Learn more about HCP Vault Secrets here and sign up for our free tier today to access lifecycle management capabilities for your secrets.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.