Technical Dev by Architect Weijia
In the past few weeks, we focused on another critical part of securing our CoinXP MainNet, credential ids and keys management. These ids and keys include crypto wallet passwords, crypto account public/private keys etc. The goal is very clear: we do not want to have any credential id or key stored in any storage of our service, we do not want to manually create or management any credential id or key, and we do not want to grant access to create/retrieve requests unless necessary. To accommodate all the requirements, we adopted AWS Secret Manager as the one and only source for all of our mission critical credentials. Keys are created/retrieved with SDK APIs only when absolutely necessary. To harden the security part, only services from the virtual private cloud with correct AWS account credentials can access the secret manager endpoint. This is the defense against secret hacking. Since secrets management is the central focus around security. There are also many other techniques we put in place to ensure even a hack was able to break into our private cloud, he/she will not able to get access to our credentials stored in AWS Secret Manager. This is done with the help of AWS fine grained resource permission control with AWS roles, policy and dynamic delegation. Furthermore, the entire tech stack is automated with Kube2Iam in our architecture such that any worker (pod in our Kubernetes cluster) being brought up are automatically assigned with the correct permissions, roles, and polices. Therefore leaves no room for human error or…
