Well-Architected Framework
Use dynamic credentials for secure authentication
Long-lived credentials create security vulnerabilities in your infrastructure. Dynamic credentials minimize this problem by generating temporary access tokens on demand.
What are dynamic credentials
Dynamic credentials are temporary, short-lived credentials generated on demand and automatically expire after a specified period. The credentials are typically used in scenarios where long-lived credentials are not necessary or pose a security risk.
Reduce credential exposure
You can generate dynamic credentials for various services, applications, and users, allowing them to authenticate without exposing their long-term credentials. Using dynamic credentials minimizes the attack surface and reduces the likelihood of credential theft or misuse.
When a service needs to connect to another service, such as a database, it requires some method to authenticate. Traditionally, you might use a username and password or an API token. When these credentials are available for an extended period, there is a greater potential for them to become compromised.
Create dynamic credentials with Vault
Vault creates dynamic credentials across multiple platforms, removing the need for long-lived static credentials in your infrastructure. Vault integrates with major cloud providers, container orchestration platforms, and database systems through its secrets engines.
The following are some of the Vault secret engines that support dynamic credentials:
- AWS
- Azure
- Google Cloud
- Kubernetes
- PostgreSQL
- MySQL
- Microsoft SQL
Many of the secrets engines Vault supports allow you to manage static credentials as well. You onboard the static account to Vault, allowing Vault to manage the lifecycle of the password for that account when dynamic credentials are not supported.
Vault dynamic secrets also integrate with other HashiCorp tools and services like Boundary, allowing you to provide secure access to developers without ever having to share or expose the credentials.
HCP Terraform integrates with Vault allowing Terraform to generate dynamic credentials during a deployment. Configuring Terraform to request dynamic credentials from Vault allows you to avoid managing static credentials separately.
HashiCorp resources:
- Understand static and dynamic secrets
- Use Vault-backed dynamic secrets in HCP Terraform
- Connect to Kubernetes using Vault and Boundary
- HCP Boundary Vault credential brokering quickstart
- SSH certificate injection with HCP Boundary and Vault
- View Vault's secrets engines.
External resources:
- NIST SP 800-53 Security and Privacy Controls for Information Systems
- NIST SP 800-207 Zero Trust Architecture
- OWASP Credential Management Cheat Sheet
Next steps
Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.
- Define access requirements
- Grant least privilege
- Create permissions and guardrails
- Centralize identity management
- Implement strong sign-in workflows
- Use dynamic credentials (this document)
- Manage access lifecycle
In this section of Identity and access management you learned how replacing long-lived, static credentials with temporary credentials helps improve security. Identity and access management is part of the Secure systems pillar.