Well-Architected Framework
Use dynamic credentials
Strong identity and access management practices are critical to building a secure environment. While some credentials must always be available, others can be dynamic and short-lived, reducing the risk of exposure while enhancing your security posture.
What are dynamic credentials
Dynamic credentials are temporary, short-lived credentials generated on demand and automatically expire after a specified period. The credentials are typically used in scenarios where long-lived credentials are not necessary or pose a security risk.
Why use dynamic credentials
You can generate dynamic credentials for various services, applications, and users, allowing them to authenticate without exposing their long-term credentials. Using dynamic credentials minimizes the attack surface and reduces the likelihood of credential theft or misuse.
When a service needs to connect to another service, such as a database, it requires some method to authenticate. Traditionally, you might use a username and password or an API token. When these credentials are available for an extended period, there is a greater potential for them to become compromised.
HashiCorp Vault supports generating dynamic credentials for various cloud providers and other systems. For example, Vault can generate dynamic credentials using a supported secrets engine for Kubernetes, AWS, Azure, Google Cloud, and database services like PostgreSQL, MySQL, and Microsoft SQL.
Many of the secrets engines supported by Vault allow you to manage static credentials as well. You onboard the static account to Vault, allowing Vault to manage the lifecycle of the password for that account when dynamic credentials are not supported.
Vault dynamic secrets also integrate with other HashiCorp tools and services like Boundary, allowing you to provide secure access to developers without ever having to share or expose the credentials.
HCP Terraform integrates with Vault allowing Terraform to generate dynamic credentials during a deployment. Configuring Terraform to request dynamic credentials from Vault allows you to avoid managing static credentials separately.
HashiCorp resources:
- Understand static and dynamic secrets
- Use Vault-backed dynamic secrets in HCP Terraform
- Connect to Kubernetes using Vault and Boundary
- HCP Boundary Vault credential brokering quickstart
- SSH certificate injection with HCP Boundary and Vault
External resources:
- NIST SP 800-53 Security and Privacy Controls for Information Systems
- NIST SP 800-207 Zero Trust Architecture
- OWASP Credential Management Cheat Sheet
Next steps
Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.
- Define access requirements
- Grant least privilege
- Create permissions and guardrails
- Centralize identity management
- Implement strong sign-in workflows
- Use dynamic credentials (this document)
- Manage access lifecycle
In this section of Identity and access management you learned how replacing long-lived, static credentials with temporary credentials helps improve security. Identity and access management is part of the Secure systems pillar.