How to secure SSH Private Keys using AWS secrets manager?
May 1, 2024 2024-05-11 13:19How to secure SSH Private Keys using AWS secrets manager?
How to secure SSH Private Keys using AWS secrets manager?
cloudishsoft_admin Securing SSH private keys using AWS Secrets Manager is a good practice to enhance security and manage access to sensitive credentials effectively.
When storing SSH private keys in AWS Secrets Manager, you would paste the content of the private key into the text box provided during the process of creating a new secret. AWS Secrets Manager allows you to securely store various types of secrets, including SSH private keys, by securely encrypting them at rest using AWS Key Management Service (KMS).
Lets discuss about how to do this along with an example:
Step 1: Create an IAM Policy
You need to create an IAM policy that grants access to AWS Secrets Manager for your EC2 instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:region:account-id:secret:ssh-key-secret-name"
]
}
]
}Replace region, account-id, and ssh-key-secret-name with your specific values.
Step 2: Create an IAM Role for EC2 Instances
Create an IAM role and attach the IAM policy you created in Step 1.
Step 3: Create or Import SSH Private Key in AWS Secrets Manager
Navigate to AWS Secrets Manager: Log in to the AWS Management Console and navigate to AWS Secrets Manager.
Create a New Secret:
Click on “Store a new secret” or “Create secret.”
Choose “Other type of secrets.”
Paste the content of your SSH private key into the text box provided. Make sure to include the entire key, including the beginning and end lines (e.g., —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–).
You can also provide a name, description, and tags for the secret.
Optionally, add tags or configure rotation settings.
Click “Next” and then “Store” to save your secret.
Step 4: Configure EC2 Instance
Launch an EC2 instance and assign the IAM role you created in Step 2 to the instance. This role will grant permissions to retrieve the SSH private key from AWS Secrets Manager.
Step 5: Retrieve SSH Private Key in EC2 Instance
In your EC2 instance, you can retrieve the SSH private key from AWS Secrets Manager using AWS SDK or AWS CLI.
Example using AWS CLI:
aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:region:account-id:secret:ssh-key-secret-name --output text --query SecretStringReplace region, account-id, and ssh-key-secret-name with your specific values.
Step 6: Use SSH Private Key
Now, you can use the retrieved SSH private key for authenticating SSH connections on your EC2 instance.
ssh -i /path/to/retrieved/private/key.pem user@hostnameThis approach ensures that your SSH private keys are securely stored and managed by AWS Secrets Manager, reducing the risk of unauthorized access or exposure.
