A Position for Automated Credential Deployments | by Teri Radichel | Cloud Safety | Aug, 2022

August 5, 2022

1

ACM.20 Implementation of an AWS IAM function to deploy batch job credentials

It is a continuation of my sequence on Automating Cybersecurity Metrics.

Caveat. The code in these posts might change as I proceed via this sequence. Observe via to the top if you need the top outcome. The GitHub repo might not match the display photographs consequently.

On this put up I’m going to create a task that may encrypt our batch job credentials utilizing our KMS key and retailer the the credentials in AWS Secrets and techniques Supervisor as I wrote about within the prior put up.

We’d like a task that may encrypt, and a task that may decrypt. We’re additionally going to take a look at proscribing these roles to decrypting the key when utilizing AWS Secrets and techniques Supervisor. We’ll begin with the encryption function.

A batch job function for automated deployments

We’d like a task that may encrypt secrets and techniques and retailer them in secrets and techniques supervisor. As mentioned this function could possibly be utilized by our deployment system. There are numerous methods to create a deployment system. We may even create a batch job to hold out this deployment.

Let’s say that sooner or later we’re going to make use of a batch job for deployments, so we’ll add a listing for our batch job in our jobs listing and add the deployment of the function in that listing. We’ll have to check out this principle of utilizing AWS Batch for deployments, after all, however for now we’ll add a listing for our batch job within the jobs listing:

jobs/DeployBatchJobCredentials

Create a cfn folder inside that for our batch job function coverage CloudFormation template as I’ve been doing all through this sequence:

jobs/DeployBatchJobCredentials/cfn

Create a deploy.sh file insider of our batch job folder to deploy the sources related to our batch job and be sure you have execute permissions on the file.

jobs/DeployBatchJobCredentials/deploy.sh

You’ll should put one thing within the deploy file so put a shebang inside it simply so we will reserve it for the second.

#!/bin/sh

Now we have to add a Coverage for our function within the cfn folder. We wish a constant naming conference for batch job roles so we will use the identical code to deploy the function for every batch job. So let’s title our CloudFormation coverage for our new template as follows:

jobs/DeployBatchJobCredentials/cfn/policy_batch_job.yaml

We’re going to wish so as to add a coverage doc on this file that may apply to our batch job. We’ll use the generic function deployment script we created in an earlier put up to deploy this function.

Associating a task with our batch job coverage

Word that we’ve a number of methods of attaching a task to our batch job coverage.

Create the function and move the coverage in as a parameter. Then create the function and reference the output of our coverage template.
Alternatively, as proven within the documentation under for an IAM coverage you possibly can reference the function on the time you create the coverage.

Which methodology is finest? That depends upon who you wish to enable to make what adjustments partly. If you wish to solely enable one crew to create the roles, you would have that crew execute the function template and output the function within the function CloudFormation script. Then the crew creating the coverage would reference that function however not be capable to add new roles or change current roles, together with the related AssumeRoleDocument. That manner you would guarantee solely the suitable individuals (or automation) can assume these roles by creating the AssumeRolePolicyDocument within the Position template, however you would enable builders to alter the insurance policies related to batch jobs.

You continue to have the problem of somebody leveraging a batch job to do one thing they aren’t in any other case allowed to do if they’ll create a batch job coverage and execute it. Nevertheless, you should use permission boundaries and different organizational restrictions to restrict what individuals can put into their batch job insurance policies and who can execute them.

We’ll go together with the method of making the function first. Then the coverage will reference the output of the function template to assign a coverage to the function. For my functions I don’t want all of the restrictions I simply wrote about by way of who can create roles and insurance policies, so I’m going to run the CloudFormation scripts to create the function and the coverage in my deploy script related to the batch job. I’ve the choice to alter it later if my firm turns right into a multi-national safety firm that wants such stringent restrictions. 🙂

CloudFormation template function references — Title or ARN

Some CloudFormation sources would require you to move in a full ARN to a template, whereas others would require solely the title of a useful resource. Seek the advice of the documentation to find out which you want.

With a view to create the coverage we’d like the function output, so we might want to add that to the function CloudFormation template we created earlier. First we have to perceive if we have to receive the total ARN of the function or solely the function title for our coverage template. It seems that we solely want the function title in response to the documentation for IAM coverage:

Though the doc signifies it wants a task title right here, I’m a bit skeptical that we wouldn’t discover out we have to move in an ARN on additional testing, however that’s what it says. The examples on the backside of the web page use a !Ref to an imaginary function which isn’t created wherever within the instance. That’s not actual useful.

Let’s check out a KMS key coverage. Have a look at the KMS Key documentation.

Scroll all the way down to the part on the important thing coverage. That part isn’t precisely clear however for those who scroll down and have a look at the samples on the backside of the web page, the instance exhibits {that a} KMS key coverage makes use of a full consumer ARN so that’s what we’ll want to produce to our KMS coverage template, moderately than a reputation.

You’ll additionally discover an instance utilizing a task on this web page:

We’re going to wish to get a deal with to the ARN for our function in some way.

Position Names, ARNs and Outputs utilizing GetAtt or Ref

For those who recall an earlier template we created, batchjobadmins.yaml, our PolicyDocument required a full ARN, which we constructed utilizing the title of a task and different info obtainable to us within the CloudFormation template and with the Sub perform.

We may have alternatively added the total ARN of the Batch Job function within the outputs as a substitute of solely the title. Then we might not have wanted to piece collectively that function we may have simply referenced the output of the opposite template. Nevertheless, by piecing collectively the function as proven above I’m making certain that solely a task within the present AWS account is added to the coverage.

What if we wished to move the total ARN within the output of a CloudFormation template? We will use the GetAtt perform to get details about a useful resource deployed by CloudFormation.

How do we all know what values we will retrieve utilizing the GetAtt perform for a specific useful resource? The above documentation sends us right here:

For those who click on on IAM after which Position you find yourself again on the CloudFormation documentation for an IAM Position:

Scroll down and it tells you need Ref returns and what values you possibly can receive utilizing GetAttr. The Ref (reference) pointer for an IAM function returns the title. Utilizing GetAttr we will get the entire Arn or the function ID.

Since we all know we’d like an ARN and we would want a Title we’ll output each in our function templates.

Add outputs to our batch job function creation template

Edit the batch job function we created earlier and use Ref to output the title of the function it creates. Add the ARN as an output as effectively. As well as, since we’re utilizing these outputs for a number of stacks created from the identical template, we’ll must make every output distinctive by together with the job title within the output title.

Word that “Arn” is case delicate. Additionally, be sure you don’t give totally different outputs the identical title or reference or the second output may overwrite the primary output. Not that I’ve ever accomplished that and spent far too lengthy attempting to determine what my outputs weren’t working!

Deploy Our Position

Right here’s the place we run right into a little bit of a catch 22.

We will’t create our KMS coverage with zero-trust permissions till we’ve our roles that we wish to give encrypt and decrypt permissions.
We will’t assign particular keys to the function’s IAM coverage as defined on this documentation till we create the important thing.

To beat this dilemma, we will deploy our sources on this order:

Create the function.
Create the KMS coverage.
Add the KMS permissions to the IAM function.

With a view to create the KMS coverage, we’ll additionally must create the function that’s allowed to decrypt the credentials and use them. So for now, on this weblog put up, we’re merely going to deploy the function and we’ll add the coverage that enables the function to decrypt utilizing KMS in a future put up.

We have already got a deploy script that deploys the function within the batch_job_role folder:

batch_job_role/deploy.sh

As you recall we wrote that script in such a manner that it takes a batch job title as a parameter. That turns out to be useful proper about now. I can re-use that code to deploy the function for this batch job.

Strive including this command to your batch job script:

../../batch_job_role/deploy.sh 'DeployBatchJobCredentials'

The issue we’ve now could be that the deployment script we’re referencing is searching for our CloudFormation template relative to the listing have been we’re executing this present script. Bummer.

There are a number of methods we will clear up this. We may use an atmosphere variable to outline the trail however I don’t actually like that concept as a result of these variables are too simply manipulated. Private choice. I additionally don’t wish to break what I wrote in prior weblog posts. As a substitute of referencing the trail to the script this manner we’ll navigate to that listing, execute the script and navigate again. In the long run this code might all look totally different however that works simply for now. Let’s do that:

jobname='DeployBatchJobCredentials'cd ../../batch_job_role/
./deploy.sh $jobname
cd ../jobs/$jobname

Word: This will get revised in an upcoming weblog put up.

Ah, sure, that works higher. Execute the script and examine to verify the function is created correctly and comprises the required output.

Right here’s our function:

Right here’s our function title within the output of our CloudFormation Template:

Lovely. We deployed that with a minimal quantity of code and we will reuse this for each batch job we create that wants a brand new function.

You will discover the code within the GitHub repo and particularly within the listing linked under, with some revisions defined in upcoming weblog posts.

https://github.com/tradichel/SecurityMetricsAutomation/tree/essential/jobs/DeployBatchJobCredentials

Observe me for updates.

Teri Radichel

For those who appreciated this story please clap and comply with:

Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis