[英]AWS SSM document with private information
I've been asked to come up with a solution to ensure that all of our Windows servers on AWS have local accounts created for the admin team using SSM. 我被要求提出一个解决方案,以确保我们在AWS上的所有Windows服务器都具有使用SSM为管理团队创建的本地帐户。 We need the ability to audit this and ensure that the passwords can be changed easily.
我们需要能够对此进行审核,并确保可以轻松更改密码。 I know, i know, i should just like what a domain does, but for whatever reason that's not allowed!
我知道,我知道,我应该喜欢域名的功能,但是出于任何原因,这都是不允许的!
Creating the document with the powershell script is fine but putting the passwords into the script is an issue and this will need to be in plain text. 使用powershell脚本创建文档很好,但是将密码放入脚本是一个问题,这需要使用纯文本格式。
I thought I could use AWS KMS to encrypt the passwords and have SSM decrypt them on the fly. 我以为可以使用AWS KMS加密密码并让SSM即时解密它们。 The thing is that I can't get the decrypt to work only for SSM and not for anyone who logs onto the server.
事实是,我无法使解密仅适用于SSM,而不适用于登录服务器的任何人。 If oneone can decrpyt the password then it might as well in plain text :/
如果一个人可以解密密码,那么它也可以是纯文本格式:/
I hope that makes sense! 我希望这是有道理的!
Any thoughts or advice would be gratefully recieved. 任何想法或建议将不胜感激。
Thanks 谢谢
Might be too late for you but the only thing I can think of is to have the password as an SSM parameter and create a parent lambda for the ssm. 对于您来说可能为时已晚,但是我唯一想到的就是将密码作为SSM参数并为ssm创建一个父lambda。 You can specify the lambda to have access to the KMS key only via policy.
您可以指定lambda仅通过策略访问KMS密钥。
This adds an extra step (having to call a lambda to call and SSM) but it'll allow you to restrict access to a higher degree. 这增加了一个额外的步骤(必须调用lambda来进行调用和SSM),但是它将允许您在更高程度上限制访问权限。
I'm fairly sure SSM parameters are secure enough to transport a password but I would suggest double checking on that before pulling the trigger. 我相当确定SSM参数足够安全,可以传输密码,但是我建议您在触发之前仔细检查。
An ideal solution would be to detect on the instance if the you're originating from an SSM but I don't think that's possible. 理想的解决方案是在实例上检测您是否源自SSM,但我认为这是不可能的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.