Storing Sensitive Password, URL and Database Credentials in AWS in Compliance with Security Auditing

Introduction:

Security, compliance and auditing are few of the very critical aspects for any organization to secure there SAP or Non-SAP landscape specially it is running in any Cloud Provider Datacenter.

Utilization and access to few of the user credentials are very sensitive and needs to be protected from any unauthorized access. Also whenever they need to be accessed then there must be some logging maintained somewhere so that the access can be audited in future.

In this Blog I am going to draft a process through which one can secure these credentials and it’s access in AWS by utilizing services provided by AWS itself. The cost is also minimum as the AWS services which has been utilized are either free or has very less cost.

Pre-Requisite:

• Access to AWS Console with IAM, Lambda, SMS, KMS and CloudWatch access
• Basic Knowledge of how to create Roles and assigning Policies
• Basic Knowledge of Lambda
• Basic Knowledge on how to monitor the logs in CloudWatch

Procedure/Steps:

1. Create two users and assign the following inline policies through IAM

1. • One with all admin access for LAMBDA, System Manager, Parameter Store, KMS
   • Second with only limited access of LAMBDA, System Manager and KMS

1. Create KMS Customer Managed key for Data Encryption
2. Create Parameter (SAP Credentials, URL and Database Credentials) in Parameter Store using KMS key to encrypt the detail
3. Install AWS CLI on local desktop or Bastion Host and configure it for AWS access
4. Use the User with limited access to the service System Manager and KMS to configure AWS CLI and access the detail through CLI commands
5. Create LAMBDA function to access the credential
6. Execute LAMBDA function for specific values to get required details
7. Audit the CloudWatch for each execution of the LAMBDA function

In the above one can see there are two ways to get the necessary detail:

• AWS CLI
• LAMBDA

Through LAMBDA one can track the log in CloudWatch and thus help in auditing process.

Create user and assignation of Inline Policies:

• Create user with following Inline Policy:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“kms:Decrypt”,
“ssm:GetParametersByPath”,
“ssm:GetParameters”,
“ssm:GetParameter”
],
“Resource”: [
“arn:aws:kms:*:*:key/*”,
“arn:aws:ssm:*:*:parameter/sap*”
]
}
]
}

User which will be used in AWS CLI to access the Credentials

Now verify that the above user has no access to KMS and Parameter Store through AWS Console. The screen of verification is as follows:

No KMS Access Through AWS Console

No Parameter Store Access Through AWS Console

• Create second Lambda User with following Inline Policy

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“lambda:CreateFunction”,
“lambda:UpdateFunctionEventInvokeConfig”,
“lambda:UpdateEventSourceMapping”,
“kms:Decrypt”,
“lambda:UpdateFunctionCodeSigningConfig”,
“lambda:InvokeFunction”,
“lambda:ListVersionsByFunction”,
“lambda:GetFunction”,
“lambda:UpdateFunctionConfiguration”,
“lambda:InvokeAsync”,
“lambda:GetFunctionConfiguration”,
“ssm:GetParameters”,
“ssm:GetParameter”,
“lambda:UpdateCodeSigningConfig”,
“lambda:UpdateFunctionCode”,
“ssm:GetParametersByPath”
],
“Resource”: [
“arn:aws:lambda:*:802160044962:codesigningconfig:*”,
“arn:aws:lambda:*:802160044962:event-source-mapping:*”,
“arn:aws:lambda:*:802160044962:function:*”,
“arn:aws:kms:*:*:key/*”,
“arn:aws:ssm:*:*:parameter/*”
]
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: “lambda:CreateFunction”,
“Resource”: “arn:aws:lambda:*:802160044962:function:*”
},
{
“Sid”: “VisualEditor2”,
“Effect”: “Allow”,
“Action”: [
“lambda:ListFunctions”,
“lambda:GetAccountSettings”
],
“Resource”: “*”
}
]
}

User with Lambda Function Execute Access

Verify that the above user has no additional access after login with AWS Console:

No KMS Access

No Parameter Store Access through AWS Console

Lambda Function Access through AWS Console

Create KMS Customer Managed Key for Data Encryption:

Go to KMS->Customer Managed Key->Create Key->Symmetric

KMS Customer Managed Key Creation Process

Create Parameter (Credentials/URLs/Sensitive Details) in Parameter Store:

Go to Parameter Store and Create different credentials and URL whose detail is given in the following screen shot:

Parameter Store Detail Creation

Please make sure that you plan for proper Hierarchy planned before maintaining your credential in the Parameter store. This is essential because based on this hierarchy your access through Lambda Code will be defined. Also it will give a standard approach of maintaining your credentials or URL. Please have a look into the following screen shot which will give you one such example:

Install AWS CLI and Configure to Access the Credentials:

If you are using AWS EC2 server as Bastion host and trying to access the parameters store then there is no need for fresh installation of AWS CLI as EC2 is already coming with default AWS CLI installed.

If the SAP admin team is using it’s own Laptop or Desktop then they need to install this tool separately. Please follow the following link to get this tool installed:

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-windows.html

Once AWS CLI installed then use AWS Configure command to configure your Command line to communicate with your AWS account. Here you need to ask for “Access Key ID” and “Secret access Key” of the users which has been created above by your security team. The example of the credential file (.csv) is as follows:

AWS Configure command:

Now one can access the required details using the following commands:

aws ssm get-parameters –names <name of the parameter> –with-decryption –region <region_name>

EXAMPLE: aws ssm get-parameters –names /sap/abap/ecc/dev/ddic –with-decryption –region us-east-2

Command to get Encrypted Credential One at a time

One can use the following command to get the detail of all the Credentials/URL which are available in a particular path:

aws ssm get-parameters-by-path –path <path_detail> –recursive –with-decryption –region <region_name>

EXAMPLE: aws ssm get-parameters-by-path –path /sap/ –recursive –with-decryption –region us-east-2

Getting Credentials Based on Path

The above is one of the way through which the SAP Admin team can get the Desired Critical Information, if they need at any point of time during there support/work.

There is another way through which one can access these detail as well and which is LAMBDA function based. This is a serverless technology where access for the execution of this function has been given to SAP Admin team and they can invoke this whenever they need the detail. The best part of this method is, all such API calls are getting registered with CloudWatch and one can utilize this during Security Auditing.

Creation of Lambda Function:

As an example I have created the following code to get the required detail through LAMBDA:

import json
import boto3
import os

ssm = boto3.client(‘ssm’, region_name=”us-east-2″)
abap_or_java = os.environ[‘ABAP_OR_JAVA’]
ecc_or_srm = os.environ[‘ECC_OR_SRM’]
sap_env = os.environ[‘DEV_OR_UAT_OR_PRD’]
sap_usr = os.environ[‘USER_NAME’]
def lambda_handler(event, context):
user_password = ssm.get_parameters(Names=[“/sap/” +abap_or_java+”/”+ecc_or_srm +”/”+sap_env +”/”+sap_usr], WithDecryption=True)
print(user_password)
return “done!”

Lambda Function

The process to create the Lambda function is shown in the following screen shot:

Lambda Function Creation

Now there a need to create Environment variable with the following detail in the Lambda Function:

Variable detail

The Value give an overview of all the value that might be possible and during execution one has to select one value (based on his requirement) by modifying the Value field and then function needs to be executed by clicking on TEST button.

The above step will create a lambda function as well as one AWS Role. That Role needs to be modified so that it has the access to KMS and Parameter Store.

Lambda Function Automatically Generated Role

Lambda Role Modification for addition of Inline Policy

Increase the Time-Out setting to at least 10-15 sec of the Lambda Function as Decryption will need some additional time.

Time Out Setting

Lambda Function Step is as follows:

Lambda Function Execution and Result

Audit the CloudWatch for each execution of the LAMBDA function:

Everytime Lambda function getting executed it creates an entry in the CloudWatch

Auditing and Monitoring

Pricing Detail:

Parameter Store Pricing Tier

Lambda Function Execution Pricing Detail

KMS Pricing Detail

There are several Products in the market to maintain Critical Credentials like “KeyPass”. I have seen customers maintaining such details in password protected documents/excel-sheets as well.

But seeing the advantages (auditing, monitoring, maintenance and secured) and the TCO of using AWS Parameter Store, it is strongly recommended (advisable) to utilize this service from AWS to store all critical credentials and data.