By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Securely Passing Credentials for Automation Without Exposure in Runcommand

0

I have an automation solution in my central account that helps users domain-join instances. This process requires using central account credentials. Currently, these credentials are stored in the central account and are passed into the instance, mostly via a PowerShell command(ssm command from automation script under organizationaccountaccessrole)

The issue is that these credentials are stored in the AWS Systems Manager Run Command command parameters, which poses a security risk.

However, storing the credentials in the Parameter Store under the user account is not an option and also cross-account sharing is not possible due to limitations (Resource Manager restrictions).

What is the best way to securely pass these credentials without exposing them in logs or command parameters?

Topics
Management & Governance
Tags
AWS Systems ManagerParameter Store
Language
English
UR
asked 7 days ago23 views
1 Answer
0

Hello.

How about registering credentials in SecretsManager and setting up a resource policy to allow access from other AWS accounts?
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

If you use AWS Organizations to manage your AWS accounts, you can also configure a SecretsManager resource-based policy to allow Organizations IDs.
The SecretsManager policy is configured to allow OU IDs as follows:

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Principal" : "*",
      "Action" : "secretsmanager:GetSecretValue",
      "Resource" : "arn:aws:secretsmanager:ap-northeast-1:123456789012:secret:test",
      "Condition" : {
        "StringEquals" : {
          "aws:PrincipalOrgID": "o-1234567"
        }
      }
    }
  ]
}

Also, since this will be cross-account access, be sure to set a customer-managed key for SecretsManager encryption and allow the OU ID in the key policy.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/allow-org-ou-to-use-key.html

profile picture
EXPERT
Riku_Kobayashi
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content