Secret Store Lambda for CloudFormation templates
One topic very important in the AWS ecosystem is how to share secrets and parameters between applications.
Popular tools such as Vault and Consul are oriented towards large enterprises with multiple levels of security. There are also other proprietary KMS systems which often require connectivity back to on premise locations.
Another alternative may be a solution designed to run on the AWS platform, but such systems often have limitations. Credstash for example does not offer permission level per secret based. Solutions are often chosen based on the InfoSec policy & potential compliance requirements.
A solution for sharing
Inspired by Chris Barclay’s article on Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks, I designed a solution fully integrated with CloudFormation using Lambda-backed custom resources and SSM Parameter Store. Such a solution is cloud native and builds on top of services with adequate SLA’s in place. The goal is to form a simple yet secure and effective solution for sharing secrets between deployments.
When a CloudFormation template invokes AWS Lambda Secretstore, the function is executed with a dedicated IAM role, retrieved from EC2 Parameter Store and the secret decrypted using KMS. The execution of Lambda returns back to CloudFormation the value from the Parameter Store which makes it possible to access it using the function GetAtt reading the parameter “Value” and “Arn”.
You can see a full example in the file resources/example-read.yaml.
Why I used these AWS services
Lambda backed custom resources – provides cost efficiency with the use of all Lambda benefits and privileges segregated through IAM.
SSM Parameter Store – as SSM is fully integrated between all instances OS, it does not require any additional configuration. It also enables encryption of your secrets using KMS and allows you to control permission access using IAM.
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
How To install
1. Clone your repository
$ git clone firstname.lastname@example.org:cloudreach/aws-cfn-secretstore.git $ cd aws-cfn-secretstore/
2. Editing the file serverless.yml, you can deploy your function in AWS using Serverless Framework
$ sls deploy Serverless: Packaging service... Serverless: Excluding development dependencies... Serverless: Uploading CloudFormation file to S3... Serverless: Uploading artifacts... Serverless: Uploading service .zip file to S3 (62.37 KB)... Serverless: Validating template... Serverless: Creating Stack... Serverless: Checking Stack create progress... ....................... Serverless: Stack create finished... Service Information service: cfn-tools stage: prod region: eu-west-1 stack: cfn-tools-prod api keys: None endpoints: None functions: secretstore: cfn-tools-prod-secretstore
and immediately test your deployment using:
$ aws cloudformation create-stack --stack-name example-read-secretstore --template-body file://resources/example-read.yaml
Note that neither CloudFormation, Lambda or Parameter Store are global resources, so you will have to deploy the helper stack into each region.
How to quickly manage your secret using CLI
Github repository [https://github.com/cloudreach/aws-cfn-secretstore]