安全地将机密上传到 Secret Manager/Parameter Store
Securely upload secrets to Secret Manager/Parameter Store
我在将机密上传到 Secrets Manager 的过程中犯了一个错误。通过使用 cloudformation,我一直将秘密作为纯文本参数发送到模板中。秘密本身永远不会暴露在 cloudformation yaml 文件中。但是,秘密作为 cloudformation 中的参数公开。因此,能够 read/describe 堆栈就足以获取秘密。
进行了一些挖掘并找到了 。他们建议使用 cdk 或 cloudformation 创建参数 store/secret 管理器,然后使用 SDK/CLI.
上传秘密
关于我的问题:SDK 和 CLI 是否会自行提供跟踪信息?意思是,我刚刚移动了这个问题。从公开 cloudformation 中的秘密转变为将其公开到 cloudtrail 或 AWS 中的任何其他监控。
如何在不手动使用 AWS 控制台的情况下结合 IaC 安全地上传我自己的机密。有没有办法关闭某些 SDK/CLI 调用的日志记录?
根据您的用例,有不同的选项:
- 如果您设置了新资源并且需要创建一个新的秘密,您可以让 SecretsManager 为您生成秘密。请参阅 CloudFormation 文档以获取 Secret 资源。
- 如果您想存储一个 现有的秘密 ,带有单独 API 调用的选项是一个很好的建议。原则上唯一可以记录的地方是 CloudTrail,它记录任何 API-Call,但我已经确认,秘密值未存储在
PutSecretValue 事件记录中。
来自 CloudTrail 的 CreateSecret 事件:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA2BFBC5RB4SDFSDQDI",
"arn": "arn:aws:iam::123456789123:user/myself",
"accountId": "123456789123",
"accessKeyId": "ASIA2BFSDFSD5RBR4L2JB7T",
"userName": "myself",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2021-07-05T11:38:38Z"
}
}
},
"eventTime": "2021-07-05T11:39:46Z",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "CreateSecret",
"awsRegion": "eu-central-1",
"sourceIPAddress": "95.48.10.191",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters": {
"name": "/demo",
"clientRequestToken": "5c59462b-d05c-4cfa-a224-a8d60f3edeff"
},
"responseElements": null,
"requestID": "6e61267a-ed8a-4383-8729-c33b8c217990",
"eventID": "23facc03-032c-4b24-bc36-d8f4e330445e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789123",
"sessionCredentialFromConsole": "true"
}
CloudTrail 中的一个 PutSecretValue 事件:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA2BFSASB4SXNVRQDI",
"arn": "arn:aws:iam::123456789123:user/myself",
"accountId": "123456789123",
"accessKeyId": "ASIA2BFBSAWR4L2JB7T",
"userName": "myself",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2021-07-05T11:38:38Z"
}
}
},
"eventTime": "2021-07-05T11:40:09Z",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "PutSecretValue",
"awsRegion": "eu-central-1",
"sourceIPAddress": "11.11.190.191",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters": {
"clientRequestToken": "61297703-b519-4e9e-8984-aacd40db826b",
"secretId": "/demo"
},
"responseElements": null,
"requestID": "97693f1b-f586-4641-af4c-b46d66fd27c1",
"eventID": "192f8959-3c51-40f5-8ca6-88f9075dc2a3",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789123",
"sessionCredentialFromConsole": "true"
}
我在将机密上传到 Secrets Manager 的过程中犯了一个错误。通过使用 cloudformation,我一直将秘密作为纯文本参数发送到模板中。秘密本身永远不会暴露在 cloudformation yaml 文件中。但是,秘密作为 cloudformation 中的参数公开。因此,能够 read/describe 堆栈就足以获取秘密。
进行了一些挖掘并找到了
关于我的问题:SDK 和 CLI 是否会自行提供跟踪信息?意思是,我刚刚移动了这个问题。从公开 cloudformation 中的秘密转变为将其公开到 cloudtrail 或 AWS 中的任何其他监控。
如何在不手动使用 AWS 控制台的情况下结合 IaC 安全地上传我自己的机密。有没有办法关闭某些 SDK/CLI 调用的日志记录?
根据您的用例,有不同的选项:
- 如果您设置了新资源并且需要创建一个新的秘密,您可以让 SecretsManager 为您生成秘密。请参阅 CloudFormation 文档以获取 Secret 资源。
- 如果您想存储一个 现有的秘密 ,带有单独 API 调用的选项是一个很好的建议。原则上唯一可以记录的地方是 CloudTrail,它记录任何 API-Call,但我已经确认,秘密值未存储在
PutSecretValue事件记录中。
来自 CloudTrail 的 CreateSecret 事件:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA2BFBC5RB4SDFSDQDI",
"arn": "arn:aws:iam::123456789123:user/myself",
"accountId": "123456789123",
"accessKeyId": "ASIA2BFSDFSD5RBR4L2JB7T",
"userName": "myself",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2021-07-05T11:38:38Z"
}
}
},
"eventTime": "2021-07-05T11:39:46Z",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "CreateSecret",
"awsRegion": "eu-central-1",
"sourceIPAddress": "95.48.10.191",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters": {
"name": "/demo",
"clientRequestToken": "5c59462b-d05c-4cfa-a224-a8d60f3edeff"
},
"responseElements": null,
"requestID": "6e61267a-ed8a-4383-8729-c33b8c217990",
"eventID": "23facc03-032c-4b24-bc36-d8f4e330445e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789123",
"sessionCredentialFromConsole": "true"
}
CloudTrail 中的一个 PutSecretValue 事件:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA2BFSASB4SXNVRQDI",
"arn": "arn:aws:iam::123456789123:user/myself",
"accountId": "123456789123",
"accessKeyId": "ASIA2BFBSAWR4L2JB7T",
"userName": "myself",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2021-07-05T11:38:38Z"
}
}
},
"eventTime": "2021-07-05T11:40:09Z",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "PutSecretValue",
"awsRegion": "eu-central-1",
"sourceIPAddress": "11.11.190.191",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.109-57.183.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.292-b10 java/1.8.0_292 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters": {
"clientRequestToken": "61297703-b519-4e9e-8984-aacd40db826b",
"secretId": "/demo"
},
"responseElements": null,
"requestID": "97693f1b-f586-4641-af4c-b46d66fd27c1",
"eventID": "192f8959-3c51-40f5-8ca6-88f9075dc2a3",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "123456789123",
"sessionCredentialFromConsole": "true"
}