Skip to main content

Securing your Ansible deployment on AWS

Lately I have been involved in a team which is developing software as micro-services. It is very interesting work and has helped me to get introduced to some interesting technologies such as AWS Ansible and Docker in depth (and in practice).

Ansible is a great deployment automation tool. It is made in python, is declarative and agent-less (i.e. it just needs SSH access to your box). SSH it self is very secure if you use key based authentication. But people tend to use it in very insecure manner (i.e they share SSH keys on email, don't delete old SSH keys once they are revoked etc).

In my opinion the best solution to stop sharing of private keys is to generate them on a hardware token from which they cannot be (easily) copied. Fortunately I have access to Yubico Neo on which I managed to generate a public/private gpg key. The private key resides in your gpg card and public key can be put in your Ansible target hosts. There are quite a few guides (Mac, Linux, Windows) for Yubikey and few more for general purpose CCID based key-stores. And then one can use SSH key forwarding with your Gpg agent so that you can use your Yubikey for servers which require you to first login to jumpboxes.

Ansible has good AWS support in form of modules such as ec2, rds etc (backed by python boto). These modules of-course require AWS api access when trying to conjure/terminate nodes or updating a route53 DNS entry. Normally this means you have to generate and use AWS API tokens. I prefer using jump-boxes with IAM roles instead (IAM roles essentially gives permission to an Amazon instance to call Amazon APIs on your behalf, without requiring any extra keys or passwords etc). 

So this entire approach will be useful only if you can easily login to a jumpbox with IAM role. I like the using OpsWorks to create and start such jumpbox instances. The only thing required for such jumpboxes is to have correct IAMroles (which can do all the things that you need to do from your Ansible scripts, i.e EC2.* or S3.*) and your IAM users have the permission to SSH to the jumpbox. IAM users can register their own SSH keys (of-course the one generated on Yubikey) on OpsWorks. And they keys get magically updated on all machines managed by Opsworks.

Following this guide you make it impossible to leak your SSH key or Amazon credentials, since you don't put them in any remote machine/code. And that should be a good baseline for a secure Ansible deployment on AWS.




Labels:
Location: Stockholm, Sweden

Comments

Post a Comment

Popular posts from this blog

Neo4j Graphgists: The most educational gists in my opnion

I am really glad that interest in Neo4j education is picking up and NeoTechnolgoy is taking a fun approaches to help people learn graph databases. These efforts tie in neatly with my suggestions regarding Neo4j community outreach. Back in 2012 we had the Neo4j heroku challenge . At that time Cypher was just coming out and the aim of heroku challenge was to get people comfortable with code/cloud and Neo4j. In the last year or so Cypher has evolved considerably and now it is a great initiative by the Neo4j-community-team to hold a challenge that focused on Cypher and graph modelling. In this post I would like to go through my personal favourite gists from this challenge. I have a " fair " understanding of modelling with graphs; yet I learn some thing new and interesting, almost every time, when I am looking at other people's graph models (and that was my personal motivation when I began reviewing the gists ). I am not sure how the voting for this challenge will be d
Post a Comment
Read more

YubiKey Neo + Putty SSH + Windows

I have been using Yubikey Neo to manage my OpenSSH key in a CCID at work. I have made it work in Ubuntu and MacOS with relative ease, but most of my colleagues are on Windows and wondered how this could be done on the M$ platform. So I decided to give it a shot and try it out on their newly released Windows 10 (or shall we call it WinOS X  ) Step 0: Get YubiKey Neo configured as CCID Of course you have to buy this hardware before we can even begin. Before your Yubikey appears as a CCID  you will need to use YubiKey Neo Manager to enable it. See the following screenshot.  You cannot have a password for your Yubikey when you are changing the modes. If you do then you will have to delete that configuration with YubiKey personalization tool. Make sure to exit the GUI applications before you start using console later. Step 1: Check if you Yubikey works. You will need have gpg executable installed.  Gpg4Win  to interact with your Yubikey C:\> gpg --card-edit gpg: det
3 comments
Read more