Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1899

Abstract

m/v2/resize:fit:320/1*7PgRjpwDhKpjXkGDeJp5Vg.png)"></div> </div> </div> </a> </div><p id="90d1">This solution pushes the SSH Private key to SSM Parameter Store, encrypted with the default AWS encryption key. There is no option to specify a KMS key. Therefore anyone with read access to SSM can view the SSM keys CloudFormation creates.</p><p id="217e">Even with the option to encrypte with a KMS CMK, the SSM Parameter Store solution is challenging from policy perspective.</p><div id="3d26" class="link-block"> <a href="https://readmedium.com/aws-ec2-keypair-creation-with-cloudformation-does-not-have-a-decent-way-to-restrict-a-user-to-acb7b5995370"> <div> <div> <h2>AWS EC2 KeyPair creation with CloudFormation does not have a decent way to restrict a user to…</h2> <div><h3>Keys are created in SSM Parameter store with random names that cannot easily be used in policies</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="1238">I imagine the team selected this solution since it won’t cost customers too much, but it’s not an ideal solution. It’s like letting anyone with read only access to the account to view use profiles read anyone else’s password.</p><p id="71f1">A better solution would be to let the customer specify a Secret in Secrets Manager where they wish to store the key at the time of creation, and allow the customer to configure the secret at that time. The customer could also specify a Parameter encrypted with a customer managed key that limits access to a particular user, but the key also has an administ

Options

rator and the key solution seems like it would be more expensive. Alternatively, let the customer specify a KMS key and change parameter store to allow creation of resource policies (Not the policies currently applied to SSM Parameters which do not serve the same purpose).</p><p id="0745">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="96b9"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="7286"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

AWS EC2 KeyPair creation with CloudFormation does not allow encryption of EC2 Key Pairs with a Customer Managed KMS Key

Keys are created in SSM Parameter and encrypted with the default AWS key which anyone with permission to SSM can use to encrypt the data

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Just wrote about this in a more detailed explanation of using CloudFormation to deploy an SSH key here:

A CloudFormation Template to Enforce a Secure SSH Encryption Algorithm for EC2 Key Pairs

ACM.383 Security problems and workarounds if you choose to do this

medium.com

This solution pushes the SSH Private key to SSM Parameter Store, encrypted with the default AWS encryption key. There is no option to specify a KMS key. Therefore anyone with read access to SSM can view the SSM keys CloudFormation creates.

Even with the option to encrypte with a KMS CMK, the SSM Parameter Store solution is challenging from policy perspective.

AWS EC2 KeyPair creation with CloudFormation does not have a decent way to restrict a user to…

Keys are created in SSM Parameter store with random names that cannot easily be used in policies

medium.com

I imagine the team selected this solution since it won’t cost customers too much, but it’s not an ideal solution. It’s like letting anyone with read only access to the account to view use profiles read anyone else’s password.

A better solution would be to let the customer specify a Secret in Secrets Manager where they wish to store the key at the time of creation, and allow the customer to configure the secret at that time. The customer could also specify a Parameter encrypted with a customer managed key that limits access to a particular user, but the key also has an administrator and the key solution seems like it would be more expensive. Alternatively, let the customer specify a KMS key and change parameter store to allow creation of resource policies (Not the policies currently applied to SSM Parameters which do not serve the same purpose).

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab