How to Store the PIN Code in the AWS Systems Manager Parameter Store?
X-Road Autologin utility can be used to automatically enter the PIN code after xroad-signer
has started. The utility can be used to automate entering the PIN code after rebooting the host server. This article explains how the PIN code can be securely stored in the AWS Systems Manager Parameter Store so that the Autologin utility is able to read it from there.
More information about the Autologin utility can be found at: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.
More information about the AWS Systems Manager Parameter Store can be found at: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
Accessing the Parameters
The parameters can be accessed using AWS CLI or one of the language specific AWS client libraries.
Get encrypted parameter /NIIS/Test
# Get the whole parameter object
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json
{
"Parameter": {
"Name": "/NIIS/Test",
"Type": "SecureString",
"Value": "MySecureString",
"Version": 1,
"Selector": "",
"LastModifiedDate": 1562562294.084,
"ARN": "arn:aws:ssm:region:account-id:parameter/NIIS/Test"
}
}
# Get parameter value only
$ aws ssm get-parameter --name "/NIIS/Test" --with-decryption --output json | jq -r '.Parameter.Value'
MySecureString
Parameters can be stored plain text or encrypted. When encryption is used, it's possible to use the default KMS key for the account or specify a customer-managed CMK for this account. Either way, the user or service accessing the parameter must have sufficient permissions to access the encryption key and the parameter itself.
Currenlty AWS CloudFormation doesn't support the SecureString parameter type. This means that encrypted parameters must be created manually or using an additional script - they cannot be created using CloudFormation. Read more.
The following IAM policy gives access to a specified parameter encrypted with the default KMS key for the account.
IAM Policy Example
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ssm:GetParameter"
],
"Resource":[
"arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"
]
},
{
"Effect":"Allow",
"Action":[
"kms:Decrypt"
],
"Resource":[
"arn:aws:kms:<region>:<account-id>:key/alias/aws/ssm"
]
}
]
}
CloudFormation Example
SSInstance:
Type: AWS::EC2::Instance
Properties:
.
.
IamInstanceProfile: !Ref XRdPlaygroundInstanceProfile
.
.
XRdPlaygroundInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: String
Path: /
Roles:
- !Ref XRdPlaygroundRole
XRdPlaygroundRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: PINCodePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ssm:GetParameter'
Resource:
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SSMPINCodeParameterName}'
- PolicyName: KMSKeyPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'kms:Decrypt'
Resource:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/alias/aws/ssm'
The above CloudFormation example uses inline policies, but customer managed policies could be used too.
Storing Security Server PIN Code in SSM
Security Server PIN code can be stored in SSM. In that case a custom bash script (/usr/share/xroad/autologin/custom-fetch-pin.sh
) must be implemented according to the auto-login documentation. The script must fetch the PIN code from SSM and output the PIN code to stdout. AWS CLI and jq must be installed on the Security Server. Read more about installing the AWS CLI on Linux.
/usr/share/xroad/autologin/custom-fetch-pin.sh
Related articles
Â
Â
Â