86. Designing an structure that requires a three-party collusion to entry secrets and techniques in Secrets and techniques Supervisor
This can be a continuation of my collection of posts on Automating Cybersecurity Metrics.
Within the final publish we created an AppSec function.
I began refactoring the code to arrange customers with their very own secrets and techniques. Right here’s the place I hit a little bit of a snag.
Let’s say an IAM administrator needs to create a brand new consumer with an SSH key saved in a user-specific secret.
- We are able to’t create the SSH key till we have now a secret to place it in if another person is creating the key.
- The crew liable for managing the secrets and techniques useful resource coverage wants the consumer title earlier than they’ll create the user-specific secret.
- The KMS consumer, function and group needs to be created earlier than they’ll deploy a KMS key.
- The Secrets and techniques Administration consumer, group and function (what I’m calling AppSec right here) needs to be created earlier than they’ll create a secret.
- The KMS key wants and consumer must be created earlier than the key might be created with an applicable coverage.
- We don’t need to put a price within the secret till it has a coverage (an issue with our prior scripts).
The present deploy script has the creation of customers multi function script. We both must separate out KMS customers from the deploy.sh script or separate out the creation of SSH keys into its personal script, run after all of the customers and KMS script is created, and after the key is deployed the place we are able to retailer the SSH key. The later appears simpler to handle.
Separate deploy script for SSH Keys
In my IAM listing, I’m going to create a separate deploy_ssh_keys.sh script and I’m instantly going to name the create_ssh_key perform instantly from that script for the Developer consumer.
I’m going to take away the y/n parameter that I didn’t actually like within the first place from the consumer creation code in my main deploy.sh script. So this:
Turns into this:
We’ll take away the logic from consumer creation to optionally create the SSH key:
At this level I gave my consumer deploy.sh script a fast take a look at to ensure I didn’t have any typos (and I did so I fastened it).
I additionally take a look at my ssh key creation script to makes positive I’m beginning with known-good code and it really works.
Create an AppSec subfolder and secrets and techniques administration code
Subsequent we have to create the AppSec listing in our code base matching the opposite subfolder hierarchies. We’ll create our customary deploy.sh file and an appsec_functions.sh file similar to in different earlier posts for reusable capabilities.
We are able to add a create_secret() perform to create a brand new secret in secrets and techniques supervisor. Since a secret should have a price by default we’ll set a temp worth that may be overridden when a secret worth is added. As famous we don’t need to go in delicate values to CloudFormation parameters anyway as they’d be seen within the AWS console.
We are going to pull over the CloudFormation templates from the IAM listing to create the key and the key coverage into the cfn folder within the AppSec listing so the paths within the above code are pointing to the proper recordsdata.
I deleted all of the secrets and techniques associated stacks to make sure my code wouldn’t merely skip a deployment as a result of the template hasn’t modified. I additionally don’t need a stack to get created with a brand new title and depart an outdated stack hanging round in some way.
Be sure you have arrange a CLI profile named “AppSec” utilizing the AppSec function and consumer credentials described within the final publish.
It’s at this level that I noticed I forgot so as to add permission to make use of CloudFormation to the AppSec function within the final publish so I added and deployed that change.
Ah, sure, and right here is the place we get tripped up as soon as once more.
Keep in mind how we have been making an attempt to make sure that the person who creates the key coverage doesn’t have entry to delete the key? Nicely, we are able to’t create a secret with out a worth, so we have now to encrypt the worth so as to add the key.
Appears as if our plans haven been foiled. Till AWS lets us create a secret and a coverage we can not do what we wished to do with this secret and coverage to create segregation of duties and non-repudiation.
Let’s say we create a secret unencrypted. Then we wouldn’t want the KMS key proper? Then may we replace the important thing so as to add the KMS ID later? However who would implement and make sure that the key was up to date with a KMS ID? It’s all getting very messy at this level.
One of the best resolution can be for AWS to permit creation of a secret with a KMS key ID however not requirement so as to add or encrypt a price.The opposite a part of this resolution is for AWS to repair KMS key insurance policies and IAM Permissions so a consumer might be offered permissions to EITHER encrypt or decrypt however not each.
Nicely, that was enjoyable. We simply spent numerous time for nothing as we haven’t actually achieved our goal of non-repudiation proper? The AppSec consumer wants permission to encrypt and decrypt the worth and so they want permission to replace the key coverage. So what’s stopping them from updating the coverage to allow them to get the worth and decrypt it?
Keep in mind that we denied the “get-secret-value” permission within the AppSec IAM coverage. The AppSec consumer is aware of the preliminary worth they set (a dummy worth) however can not get the next up to date worth as a consequence of IAM restrictions.
So a extra correct diagram of our segregation of duties from our earlier publish would look extra like this to be correct if we think about who has permission to vary a coverage to present themselves entry to the encrypted secret, with the builders being granted entry by three totally different directors for them to get entry to their very own credentials (ssh key):
In different phrases, it will take a three-party collusion for somebody to get entry to a secret they shouldn’t entry if we guarantee IAM directors can’t give themselves permissions they need to not have. As talked about earlier than there’s all the time a set of tremendous admin credentials that may change all of this that ought to be used for preliminary setup after which locked away.
So let’s go forward and provides our AppSec consumer the permission to encrypt and decrypt the identical manner we did for our IAM consumer in each the KMS coverage and their IAM function coverage.
Updating the function coverage is easy. Copy the permissions from the IAM Admin Function:
Redeploy the roles to replace the coverage.
Passing in a number of ARNs to encrypt and decrypt with our KMS key
However wait — how can we add two ARNs to permit encryption and decryption? We are able to go in an inventory of ARNs into the important thing coverage for the IAM and AppSec roles the identical manner we handed in an inventory of customers within the Developer group.
Appears like we already are accepting a comma separated checklist as a parameter:
Get our stack title and output title to make use of with our widespread perform to get the output worth from a CloudFormation stack:
Get the ARN for the AppSec function, create a comma-separated checklist, and go that in to create our key coverage.
Redeploy the keys to replace the DeveloperResources key coverage.
Nicely, chances are you’ll or might not have observed however I misspelled encryptarn2 above so I needed to repair that. The code in GitHub ought to work. 🙂
Test the important thing coverage to be sure that the ARN for each roles has the required permissions.
Now we are able to attempt to deploy the key once more as a result of our AppSec consumer ought to have entry to deploy the key.
Success.
IAM Admin updates the key with the SSH key
Now that the key exists, return to our ssh key creation script and run it from the IAM listing.
./deploy_ssh_keys.sh
I needed to repair a couple of typos:
Success:
Now take a look at that the developer can nonetheless get their secret worth (see prior posts):
aws secretsmanager get-secret-value --secret-id Developer --profile developeruser
Once more — success.
A number of remaining points
There are a couple of remaining points to think about with our code above. Have you learnt what they’re? What if our key creation fails in the course of a deployment? A brand new SSH key may be created by the key nonetheless has the outdated SSH key in it. The important thing within the secret may be created however the consumer coverage fails to replace and factors to no secret or an incorrect secret if one was deleted and up to date.
This will likely or might not create a safety drawback as a result of for probably the most half, pointing to one thing that acquired deleted and the truth that you can not create a particular secret with a reputation you management means somebody can not directly level somebody to the unsuitable secret. There could also be some difficult method to do it if there’s an current helpful secret sooner or later however I’m not going to factor by way of that additional proper now. In my case the chance appears extraordinarily low.
However extra hermetic code would make sure that if a set of operations which might be supposed to finish collectively fails, that the unfinished operations are rolled again or another operation happens to get rid of probably invalid pointers in insurance policies. For instance, if something fails you could possibly delete the key, secret coverage, and consumer coverage. We gained’t take these steps right here however think about the risk mannequin in your personal setting and if need to take these extra steps.
I really plan to fully change deployments sooner or later if my plan works. I’m going to ditch all of the bash for probably the most half and use the CloudFormation templates, so I’m not going to handle this proper now. Bash is just not a really perfect programming language in any sense so that is all proof of idea code for the time being.
Now I need to use this key for an EC2 occasion…keep tuned…
Teri Radichel
For those who preferred this story please clap and comply with:
Medium: Teri Radichel or E-mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this collection:
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts
