AWS Key Pairs: One Ring to Rule Them All
July 31, 2018 | Security and Risk | barlavie
The advent of cloud computing has fundamentally changed the way we now think of modern data centers. Dynamic, elastic in nature and fully automated, cloud is well-suited for almost everything to be delivered ‘as code.’ Despite all of the benefits, there are also inherent and ever-growing risks in the cloud that are typically absent from the on-premises world.
The use of privileged accounts may be slightly different in cloud instances, and they are equally important to protect. Not only does a cloud platform have its own privileged accounts and secrets, but the regular *NIX and Windows instances maintain their own as well – from privileged SSH keys to a local administrator account. Regardless, to secure these powerful credentials, they must to be managed and accessed with a privileged access security solution.
Privileged Challenges in Elastic and Dynamic Cloud Environments
An AWS Key Pair is very much like the “One Ring” in the Lord of the Rings series. Designed to establish total domination over the people of Middle Earth, the Dark Lord Sauron forged the One Ring in the fires of Mount Doom, giving him great and magical powers. The ring was essentially woven directly into his being, totally bound to it, providing him with great power but also leaving him vulnerable and powerless without it.
The AWS Key Pair is not so different from the One Ring – the key pair controls access to the AWS environment and can be used to decrypt the local administrator password for Windows OS, as well as the private SSH key for *NIX systems. In most cases, key pairs used for a single AWS region are very limited.
Like the One Ring, the key pair literally holds the “rings of power” (or more accurately, the “keys of power”) to your entire cloud kingdom. Having the key pair is a crucial step in gaining access to the entire IaaS environment. If this were the case in the Lord of the Rings, it would’ve made Frodo’s quest to destroy the Ring a lot easier – and uneventful. If the gates of Mordor were the IaaS environment, he could’ve walked straight through and casually chucked the One Ring into the fires of Mount Doom with ease.
Once the key falls into the wrong hands, it exposes your entire IaaS to potential attacks. Attackers constantly seek the types of secrets that can be used to access your organization’s environment. When you create a key pair, it is automatically downloaded on to your workstation. So in a case where there is already an attacker inside the network waiting for someone to slip, your key pairs are exposed and it’s game over.
You can create more than one key, but the problem remains the same, and with multiple key pairs, the challenge becomes storing and managing multiple pairs of keys.
How Do I Solve This Problem?
There are a couple of options depending upon the needs of your organization. For example, you can use a privileged access security solution to manage your IaaS privileged accounts. You can (and should) even build this process directly into your own CI/CD pipeline. Although, you’ll likely need to make some changes in the process and add new integrations – DevOps and containers present another potential set of vulnerabilities and a potentially enlarged attack surface. As DevOps and/or containers become increasingly important to businesses, it is critical to secure these environments too. For example, you will need to onboard credentials, secrets and other privileged accounts for each new EC2 compute instance and de-provision them once the instance is terminated.
Often a better solution is to completely automate the process of securely onboarding the credentials of newly created instances, so that you never have to expose the credentials again after deployment and configuration.
Event-Driven Automatic Onboarding
Until an organization secures its CI/CD pipelines, it is exposed to a variety of attack vectors. To address this reality, CyberArk offers an open source AWS Automatic Onboarding tool available on GitHub, which is designed to solve this exact problem for AWS customers. The solution is based on Lambda functions, which are automatically triggered by AWS CloudWatch when new instances are spun up or down. AWS CloudWatch is able to detect a new instance regardless of who or what created it, including instances from the CLI or with AWS Autoscaling. No matter who created the instance or where it was created, CyberArk can detect it. The Lambda functions automatically onboard the privileged SSH keys or local administrator accounts to the CyberArk Privileged Access Security Solution, and then trigger an immediate rotation of the password/SSH key. This ensures the key pair can no longer be used to gain a privileged access to your environment.
Problem solved? Not entirely. What about the key pair? It’s still a problem. One of the Lambda function’s capabilities can automatically create a key pair for you and store it directly in the CyberArk Enterprise Password Vault. With this approach, we can make sure it is never downloaded to the developer’s endpoint devices, and all access to it is through the Lambda function.
One important benefit to this approach is that unlike schedule-based scanners that provide you a partial view into your environment, this is an event-driven solution that is always aware of the current environment. Here, changes are made in real time.
Let CyberArk Help You in Your Quest for a Better Security Posture
The AWS Automatic Onboarding tool is packaged as a CloudFormation template, which fully automates the deployment. We recommend the deployment of this template for all AWS accounts and across all regions, which fully supports all CyberArk environments in both cloud and hybrid architectures.
It’s a security best practice to make sure that AWS Key Pairs are managed and secured, not left lying around locally on a computer or some other server. It is also a best practice to identify and manage all privileged accounts, cloud secrets and other credentials that are categorizes as “privileged.”
Change, especially technological change, is certainly welcomed and undoubtedly can deliver many great benefits, but it’s critical to ensure that you’re doing everything you can to protect your most valuable assets that leverage new technologies. CyberArk can be your Samwise Gamgee – only more reliable and capable – in your quest for securing and managing AWS Key Pairs and beyond. Contact your local CyberArk sales representative for details. To protect DevOps environments, try CyberArk Conjur Open Source at www.conjur.org