En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Windows Username/Password Injection into CloudFormation

0

A customer built Active Directory on the AWS and wants to use CloudFormation template to spin up Windows machines. When launching an EC2 machine, it should run a PowerShell script to join to the AD Domain. But the script should know the username and password of the AD admin account which has the 'AD Join' permission.

Now this customer needs to inject the AD admin's username and password into the User Data section of CloudFormation template. What options are available? What are the pros and cons?

  • Getting username/password as CloudFormation Input Parameter?
  • Getting username/password from a securely managed S3 object?

Wonder how other people handle this usual scenario.

Sujets
Gestion et gouvernanceCalcul
Balises
AWS CloudFormationApprovisionnement de Windows
Langue
English
MODÉRATEUR
AWS-User-9968724
demandé il y a 9 ans620 vues
2 réponses
0
Réponse acceptée

Both are good options. S3 has been widely adopted for passing long credentials (e.g. keys) to CloudFormation stacks, however there is another option now; KMS. Benefits of this approach include an audit trail of decryptions, automated rotation of password encryption and not having to use an entire S3 bucket.

The following is an example of how KMS encrypted content can be referenced from a Mapping and an IAM role used by the instance in question to decrypt the key:

"Mappings": {
       "KMSSecrets": {
            "GithubSSHKey": {
                "CMKRegion": "us-east-1",
                "CipherTextBlob": "CiAKP2NjuykOmiYWxqmifMaTak0q.........",
                "IAMRoleName": "tmaddox-githubconsumer"
            }
      }
},
"Resources":
         "IAMInstanceProfileWWW": {
            "Properties": {
                "Path": "/",
                "Roles": [{"Fn::FindInMap": [ "KMSSecrets", "GithubSSHKey", "IAMRoleName"]}]
            },
            "Type": "AWS::IAM::InstanceProfile"
        },
        "WWWAdminServer": {
            "Metadata": {
                "AWS::CloudFormation::Init": {"config": {"packages": {"yum": {
                    "git": []
                }}}}
            },
            "Properties": {
                "IamInstanceProfile": {"Ref": "IAMInstanceProfileWWW"},
                ...
                "UserData": {"Fn::Base64": {"Fn::Join": [ "", [
                        "#!/bin/bash\n",
                        "yum update -y\n",
                        "echo -e \"\n### Running cfn-init\"\n",
                        "/opt/aws/bin/cfn-init",
                        "    -s ",
                        {"Ref": "AWS::StackName"},
                        "    -r WWWAdminServer ",
                        "    --region ",
                        {"Ref": "AWS::Region"},
                        "\n",
                        "",
                        "echo -e \"\n### Saving Github's SSH Host Key\"\n",
                        "GITHUB_HOST_KEY='github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='\n",
                        "if [ ! -f /root/.ssh/known_hosts ] || grep -v $GITHUB_HOST_KEY /root/.ssh/known_hosts; then\n",
                        "  echo $GITHUB_HOST_KEY >> /root/.ssh/known_hosts\n",
                        "fi\n",
                        "",
                        "echo -e \"\n### Fetching code\"\n",
                        "echo '", {"Fn::FindInMap": [ "KMSSecrets", "GithubSSHKey", "CipherTextBlob" ]}, "'",
                        "    | base64 -d > /root/.ssh/github.pem.encrypted\n",
                        "aws kms decrypt",
                        "    --output text",
                        "    --query Plaintext",
                        "    --region ", {"Fn::FindInMap": ["KMSSecrets", "GithubSSHKey", "CMKRegion" ]},
                        "    --ciphertext-blob fileb:///root/.ssh/github.pem.encrypted",
                        "    | base64 -d > /root/.ssh/git.pem\n",
                        "",
                        "rm -f /root/.ssh/github.pem.encrypted\n",
                        "chmod 600 /root/.ssh/git.pem\n",
                        "rm -rf /var/www/html\n",
                        "eval `ssh-agent`\n",
                        "ssh-add /root/.ssh/git.pem\n",
                        "git clone https://github.com/magento/magento2.git /var/www/html\n",
                        "rm -f /root/.ssh/git.pem\n",
                        ""
                    ]
                ]}}
            },
            "Type": "AWS::EC2::Instance"
        },
AWS
AWS-User-6691991
répondu il y a 9 ans
profile picture
EXPERT
Sedat Salman
vérifié il y a un an
0

I would store the Ad Credentials in a AWS Secret and the use powershell in user data to retrieve the secret value while joining the domain

https://aws.amazon.com/de/secrets-manager/

https://docs.aws.amazon.com/powershell/latest/reference/items/Get-SECSecretValue.html

profile picture
David
répondu il y a 10 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents