The Challenge of Modern Access
Organizations today are increasingly working with hybrid or fully cloud-based infrastructures. At the same time, managing access to sensitive systems is becoming more complex. Who gets access to what? How is that access secured? And how do you ensure that secrets like API keys, passwords and certificates don’t end up in uncontrolled places?
At LinProfs, we answered these questions with an automated solution based on HashiCorp Vault en HashiCorp Boundary, fully deployed on AWS and integrated with Microsoft Entra ID. The result is a secure, scalable and future-proof access infrastructure based on Zero Trust. Furkan Kizilbayir, Junior Security Engineer, was responsible for the design and implementation of this project, where he automated the environment with Terraform and Ansible and integrated the systems to create a seamless security environment.
Access without Network Access
A key component of our solution is HashiCorp Boundary. While traditional solutions often rely on VPNs or direct SSH access, Boundary offers a modern approach: users are granted access to specific resources for a limited time without a direct network connection. They don’t need to set up a VPN or log in directly to a server. Instead, they authenticate through Microsoft Entra ID and receive only the rights that match their role and context.
This approach aligns perfectly with the Zero Trust principle, where trust is never assumed based on location or network but only on identity, verification and policies. HashiCorp Boundary automatically manages sessions, logs all activities and ensures that users never receive more access than strictly necessary.
Secrets Management with Vault
For securely storing, managing, and distributing sensitive data like tokens, passwords, certificates and API keys, we use HashiCorp Vault. Vault runs on multiple virtual machines within AWS and is designed to withstand the failure of individual components. By using high availability and dynamic secret engines, sensitive data is always available and secure.
The entire installation and configuration of Vault is automated with Ansible. This includes generating TLS certificates, rolling out policies, setting up audit logging, and integrating with identity providers like Entra ID. Vault offers dynamic secrets, meaning access keys are temporary, automatically expire and can be revoked when no longer needed. This reduces the risk of abuse and eliminates the need for manual management.
Full Infrastructure-as-Code (IaC)
To make the entire environment scalable, repeatable and auditable, everything is set up via Terraform. This includes VPCs, subnets, load balancers, security groups, IAM roles and much more. Terraform ensures that every environment whether test, staging, or production is deployed exactly the same. This prevents human errors and speeds up management.
Ansible directly complements this by taking care of the configuration and installation of the software. The integration of Vault and Boundary also happens through these automated processes. This makes it possible to bring a complete, secure environment live within minutes.
Logging, Auditing and Compliance
Security is not only about access control but also about visibility and post-event control. Therefore, all access activity, both through Vault and Boundary, is forwarded to Amazon CloudWatch. This enables security teams to monitor who has had access, when they had it, which secrets were requested and whether any abnormal behavior was detected.
Additionally, the solution is prepared for compliance requirements. Policies in Vault ensure that users can only see and do what is necessary for their role and nothing more. Sensitive logs are stored encrypted and can be exported on request for audits or reports.
Future-Proof
What makes this setup especially strong is that from the outset, considerations for expansion, backup and disaster recovery were incorporated. A robust backup solution with AWS S3 is being worked on, and the environment can easily be expanded with other HashiCorp tools like Consul. Even in the event of a region or multiple server failures, access remains guaranteed thanks to the design with multiple availability zones and redundancy in critical components.
This solution demonstrates how modern security technologies can be applied in practice to keep complex infrastructures manageable and secure. By combining Vault, Boundary, Terraform, Ansible and identity federation via Entra ID, a powerful combination of secure access, secrets management and scalable automation is created.
Conclusion
At LinProfs, we believe that modern infrastructure must not only be secure but also easy to manage and flexible to deploy. This case shows that it is possible to achieve this without compromising on user-friendliness or scalability. If you have any questions or would like to brainstorm about how your organization can organize access and security more intelligently, feel free to contact met ons opnemen. We would be happy to help.
Comments are closed