0

I've been asked to come up with a solution to ensure that all of our Windows servers on AWS have local accounts created for the admin team using SSM. We need the ability to audit this and ensure that the passwords can be changed easily. I know, i know, i should just like what a domain does, but for whatever reason that's not allowed!

Creating the document with the powershell script is fine but putting the passwords into the script is an issue and this will need to be in plain text.

I thought I could use AWS KMS to encrypt the passwords and have SSM decrypt them on the fly. The thing is that I can't get the decrypt to work only for SSM and not for anyone who logs onto the server. If oneone can decrpyt the password then it might as well in plain text :/

I hope that makes sense!

Any thoughts or advice would be gratefully recieved.

Thanks

Yogesh_D
  • 17,656
  • 10
  • 41
  • 55
Steve
  • 175
  • 1
  • 3
  • 13

1 Answers1

0

Might be too late for you but the only thing I can think of is to have the password as an SSM parameter and create a parent lambda for the ssm. You can specify the lambda to have access to the KMS key only via policy.

This adds an extra step (having to call a lambda to call and SSM) but it'll allow you to restrict access to a higher degree.

I'm fairly sure SSM parameters are secure enough to transport a password but I would suggest double checking on that before pulling the trigger.

An ideal solution would be to detect on the instance if the you're originating from an SSM but I don't think that's possible.

Sean
  • 1
  • 1