AWS Secrets Manager - deny access to secret to all but 1 role - aws-secrets-manager

I have a secret, that I only want 2 roles to read.
A DBA role must be able to access the secret and set the value
A terraform role must be able to READ the secret value.
I have set secret policies to reflect this, BUT other roles are still able to read my secret value.
e.g. my admins role
How would I explicitly deny all other roles ?
resource "aws_secretsmanager_secret" "mysecret" {
name = "tch/abc/mysecret"
policy = data.aws_iam_policy_document.mysecret_secret_assume.json
}
data aws_iam_policy_document "mysecret_secret_assume" {
statement [
{
effect = "Allow"
principals {
identifiers = ["${aws_iam_role.setter.arn}"]
type = "AWS"
}
actions = [
"secretsmanager:ListSecrets",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecret"
]
resources = ["*"]
},
{
effect = "Allow"
principals {
identifiers = "arn:aws:iam::${local.account}:role/Terraform"
type = "AWS"
}
actions = [
"secretsmanager:GetSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets"
]
resources = ["*"]
}
]
}

I assume your admin role are created by IAM policy, and usually the admin role have all permission. Which means when you don't have secret resource policy claim anything about admin role, it will follow the IAM policy' permission.
You can try to add one statement like:
{
effect = "Deny"
principals {
identifiers = $here put your admin role identifier$,
type = "AWS"
}
actions = [
"secretsmanager:*"
]
resources = ["*"]
},

Related

Azure event hub using terraform

I have question related to terraform code for azure event hub.
What are the security principles and policies that we need to take care while deploying azure event hub securely through terraform?. If possible please share the terraform code also.
Thanks
I have checked few docs but unable to understand it.
I tried to reproduce the same in my environment to create an Azure event hub using Terraform:
Terraform Code:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "venkyrg" {
name = "venkyrg1"
location = "West Europe"
}
resource "azurerm_eventhub_namespace" "example" {
name = "venkatnamespace"
location = azurerm_resource_group.venkyrg.location
resource_group_name = azurerm_resource_group.venkyrg.name
sku = "Standard"
capacity = 1
tags = {
environment = "Production"
}
}
resource "azurerm_eventhub" "example" {
name = "venkateventhub"
namespace_name = azurerm_eventhub_namespace.example.name
resource_group_name = azurerm_resource_group.venkyrg.name
partition_count = 2
message_retention = 1
}
#Event hub Policy creation
resource "azurerm_eventhub_authorization_rule" "example" {
name = "navi"
namespace_name = azurerm_eventhub_namespace.example.name
eventhub_name = azurerm_eventhub.example.name
resource_group_name = azurerm_resource_group.venkyrg.name
listen = true
send = false
manage = false
}
# Service Prinicipal Assignment
resource "azurerm_role_assignment" "pod-identity-assignment" {
scope = azurerm_resource_group.resourceGroup.id
role_definition_name = "Azure Event Hubs Data Owner"
principal_id = "74cca40a-1d7e-4352-a66c-217eab00cf33"
}
Terraform Apply:
Once ran the code resources are created with event hub policies in Azure successfully, like below.
Policy Status:
Azure Built-in roles for Azure Event Hubs
Reference: Azurerm-eventhub with Terraform

Terraform azurerm read current signed in user?

Looking at the documentation I am unable to find a data source which gives me
the current user (preferably the email) logged in to az when using the azurerm provider in terraform.
This information is available when I run az ad signed-in-user and I would like to use it to tag the resources created by terraform in azure.
Is this not possible right now?
You can use azurerm_client_config to get the AD object ID for the current user and then look up the returned object id with azuread_user to get the user principal name (UPN). Then, the UPN can be assigned to a tag. In the code below, outputs are not necessary but are helpful for validation because their values appear in the plan.
data "azurerm_client_config" "current" { }
data "azuread_user" "current_user" {
object_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_resource_group" "example-rg" {
name = "example-rg"
location = "westus"
tags = {
userCreated = data.azuread_user.current_user.user_principal_name
}
}
output "object_id" {
value = data.azurerm_client_config.current.object_id
}
output "user_principal_name" {
value = data.azuread_user.current_user.user_principal_name
}

How, if possible, to add "Archive to a storage account" in terraform?

Is there an option to enable "Archive to a storage account" in Keyvault diagnostic in Azure provider of Terraform?
If you want to configure diagnostic settings for Azure Key Vault, we can use the azurerm_monitor_diagnostic_setting resource to configure it. For more details, please refer to here
For example
Create a service principal
az login
az account set --subscription "SUBSCRIPTION_ID"
az ad sp create-for-rbac --role "Contributor" --scopes "/subscriptions/<subscription_id>"
Script
provider "azurerm" {
version = "~>2.0"
subscription_id = ""
client_id = "sp appId"
client_secret = "sp password"
tenant_id = "sp tenant"
features {}
}
data "azurerm_storage_account" "mystorage" {
name = ""
resource_group_name = ""
}
data "azurerm_key_vault" "mykey" {
name = ""
resource_group_name =""
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "example"
target_resource_id = data.azurerm_key_vault.mykey.id
storage_account_id = data.azurerm_storage_account.mystorage.id
log {
category = "AuditEvent"
enabled = false
retention_policy {
enabled = false
}
}
metric {
category = "AllMetrics"
retention_policy {
enabled = false
}
}
}

Active Directory Integration with Grails

My web application created using Grails 2.4.4 with shiro:1.2.1 and it's working fine. In my application I've created one user with limited permissions called xyzUser.
Now I've a domain, username, password of the active directory. And my requirement is to allow the request from the same and bypass login page and provide all the access of xyzUser.
For that I've tried
org.grails.plugins:ldap:0.8.2
plugins and add following configuration in config.groovy (https://grails.org/plugin/ldap)
ldap {
directories {
directory1 {
url = "ldap://demo.myDomain.in"
base = "ou=demo,dc=myDomain.in"
userDn = "uid=Username,ou=demo,dc=myDomain.in"
password = "Password"
searchControls {
countLimit = 40
timeLimit = 600
searchScope = "subtree"
}
}
}
typemappings = [
my.app.MyTypeMappings
]
}
Now I can't understand that what to do next to fulfill my requirements...

What are the standard names of the protocols behind UseOAuthAuthentication and UseGoogleAuthentication?

The ASP.NET Security Social Sample has two ways to interact with Google.
UseOAuthAuthentication
app.UseOAuthAuthentication(new OAuthOptions
{
AuthenticationScheme = "Google-AccessToken",
DisplayName = "Google-AccessToken",
ClientId = Configuration["google:clientid"],
ClientSecret = Configuration["google:clientsecret"],
CallbackPath = new PathString("/signin-google-token"),
AuthorizationEndpoint = GoogleDefaults.AuthorizationEndpoint,
TokenEndpoint = GoogleDefaults.TokenEndpoint,
Scope = { "openid", "profile", "email" },
SaveTokens = true
});
UseGoogleAuthentication
app.UseGoogleAuthentication(new GoogleOptions
{
ClientId = Configuration["google:clientid"],
ClientSecret = Configuration["google:clientsecret"],
SaveTokens = true,
Events = new OAuthEvents()
{
OnRemoteFailure = ctx =>
{
ctx.Response.Redirect("/error?FailureMessage="
+ UrlEncoder.Default.Encode(ctx.Failure.Message));
ctx.HandleResponse();
return Task.FromResult(0);
}
}
});
What is the standard name for these two types of authentication and authorization? I.e. is one OAuth and the other OpenID Connect?
When choosing to UseOAuthAuthentication, this is the result.
context
.User.Claims: []
.User.Identity.Name: null
.Authentication.GetTokenAsync("access_token"): ya29.CjAlAz3AcUnRD...
.Authentication.GetTokenAsync("refresh_token"): null
.Authentication.GetTokenAsync("token_type"): Bearer
.Authentication.GetTokenAsync("expires_at"): 2016-07-19T22:49:54...
When choosing to UseGoogleAuthentication, this is the result.
context
.User.Claims: [
nameidentifier: 10424487944...
givenname: Shaun
surname: Luttin
name: Shaun Luttin
emailaddress: admin#shaunl...
profile: https://plus.google.com/+ShaunLuttin
]
.User.Identity.Name: "Shaun Luttin"
.Authentication.GetTokenAsync("access_token"): ya29.CjAlAz3AcUnRD...
.Authentication.GetTokenAsync("refresh_token"): null
.Authentication.GetTokenAsync("token_type"): Bearer
.Authentication.GetTokenAsync("expires_at"): 2016-07-19T22:49:54...
Both UseOAuthAuthentication and UseGoogleAuthentication are OAuth. The difference is that the Google middleware sets some default OAuth options that are specific to Google and adds a GoogleHandler that gets the user profile information.
In other words,
UseOAuthAuthentication is OAuth that retrieves and access token.
UseGoogleAuthentication is OAuth with its options and flow tuned to retrieve an access code and user profile information from Google.

Resources