堆栈内存溢出
  简体   繁体   English

带有私人信息的AWS SSM文档

[英]AWS SSM document with private information

 原文  2017-12-12 15:54:00       powershell/ amazon-web-services/ aws-kms/ amazon-systems-manager/ aws-ssm

问题描述

I've been asked to come up with a solution to ensure that all of our Windows servers on AWS have local accounts created for the admin team using SSM. 我被要求提出一个解决方案,以确保我们在AWS上的所有Windows服务器都具有使用SSM为管理团队创建的本地帐户。 We need the ability to audit this and ensure that the passwords can be changed easily. 我们需要能够对此进行审核,并确保可以轻松更改密码。 I know, i know, i should just like what a domain does, but for whatever reason that's not allowed! 我知道,我知道,我应该喜欢域名的功能,但是出于任何原因,这都是不允许的!

Creating the document with the powershell script is fine but putting the passwords into the script is an issue and this will need to be in plain text. 使用powershell脚本创建文档很好,但是将密码放入脚本是一个问题,这需要使用纯文本格式。

I thought I could use AWS KMS to encrypt the passwords and have SSM decrypt them on the fly. 我以为可以使用AWS KMS加密密码并让SSM即时解密它们。 The thing is that I can't get the decrypt to work only for SSM and not for anyone who logs onto the server. 事实是,我无法使解密仅适用于SSM,而不适用于登录服务器的任何人。 If oneone can decrpyt the password then it might as well in plain text :/ 如果一个人可以解密密码,那么它也可以是纯文本格式:/

I hope that makes sense! 我希望这是有道理的!

Any thoughts or advice would be gratefully recieved. 任何想法或建议将不胜感激。

Thanks 谢谢

1 个解决方案

解决方案1
 0  2018-01-22 18:37:38

Might be too late for you but the only thing I can think of is to have the password as an SSM parameter and create a parent lambda for the ssm. 对于您来说可能为时已晚,但是我唯一想到的就是将密码作为SSM参数并为ssm创建一个父lambda。 You can specify the lambda to have access to the KMS key only via policy. 您可以指定lambda仅通过策略访问KMS密钥。

This adds an extra step (having to call a lambda to call and SSM) but it'll allow you to restrict access to a higher degree. 这增加了一个额外的步骤(必须调用lambda来进行调用和SSM),但是它将允许您在更高程度上限制访问权限。

I'm fairly sure SSM parameters are secure enough to transport a password but I would suggest double checking on that before pulling the trigger. 我相当确定SSM参数足够安全,可以传输密码,但是我建议您在触发之前仔细检查。

An ideal solution would be to detect on the instance if the you're originating from an SSM but I don't think that's possible. 理想的解决方案是在实例上检测您是否源自SSM,但我认为这是不可能的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS SSM RunCommand - RunRemoteScript 文档出现问题,以使用参数运行 PowerShell 脚本 - AWS SSM RunCommand - Issue with RunRemoteScript Document to run PowerShell script with parameters 如何使用 Terraform 将 powershell 命令传递给 AWS SSM 文档/运行命令? - How to pass a powershell command to AWS SSM Document/Run Command using Terraform? 如何使用 powershell 脚本通过 AWS SSM output - How to pass the AWS SSM output with powershell script AWS ssm 中的变量分配不起作用 - Variable assignment inside AWS ssm does not work 在 powershell 的 SSM 文档中引用 boolean 参数的正确方法是什么? - What is the correct way to reference a boolean parameter in SSM document for powershell? SSM - AWS-RunPowerShellScript - $false 布尔值被错误地识别为字符串 - SSM - AWS-RunPowerShellScript - $false boolean erroneously being recognized as String AWS-InstallWindowsUpdates SSM 运行命令从哪里提取? - Where does the AWS-InstallWindowsUpdates SSM run command pull from? AWS SSM 发送命令 CLI 中的 escaping 字符 - escaping characters in AWS SSM send-command CLI 在 aws cli ssm 中的 powershell 命令中传递单引号字符串 - Pass single quoted string within powershell command in aws cli ssm 为什么AWS-ConfigureWindowsUpdate SSM运行命令失败? - Why is AWS-ConfigureWindowsUpdate SSM Run Command Failing?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM