Title: AWS re:Inforce 2024 - Capital One’s approach for secure and resilient applications (DAP302)
Insights:
- Secret Management Challenges: Many enterprises struggle with managing and rotating secrets, especially at scale. Few organizations manage thousands of AWS accounts and millions of secrets like Capital One.
- Centralized Management with Federated Storage: Capital One uses a centralized management system for secrets while storing them in federated application accounts. This approach ensures local access, minimizes latency, and reduces the blast radius in case of a breach.
- Security and Compliance: Security is a top priority for Capital One. They enforce multiple layers of security, including service control policies, identity-based policies, and resource-based policies, to ensure secrets are secure from creation to deletion.
- Secret Rotation: Regular rotation of secrets is crucial for minimizing the risk of unauthorized access. Capital One uses AWS Secrets Manager to automate secret rotation, ensuring compliance and reducing the blast radius of compromised secrets.
- Resiliency: Capital One deploys their secret management solution across multiple regions to ensure high availability. They use cross-region replication for both Secrets Manager and DynamoDB to maintain consistency and resilience.
- Access Control: Capital One differentiates between human and machine IAM roles, enforcing strict access controls to ensure that only authorized applications can access secrets.
- Automation and Monitoring: By centralizing the rotation process and using AWS Lambda functions, Capital One can automate secret management and monitor the process centrally, ensuring compliance and quick incident response.
Quotes:
- "Raise your hand if you are rotating those secrets or those credentials regularly. I see just a few hands up there."
- "At Capital One, we are all in the cloud like no other bank out there, which enables us to create exceptional user experience for our customers."
- "Risk management is our number one priority. It's our business."
- "We want all the secrets to be created and managed sensibly through a set of API, even though the secret will be stored in application accounts."
- "A rotated secret always has a shorter blast radius than a long-lived secret."
- "With this centralized management API, we will be able to meet the security and compliance requirements in such a highly regulated environment."
- "We believe with this centralized management API, we will be able to meet the security and compliance requirements in such a highly regulated environment."
- "By implementing the solution with a centralized management, we can have control and visibility and governance of the secrets that are created across all the different thousands of accounts that we have there."