AWS fsx documentation change
Summary
Added detailed documentation about storing Active Directory credentials using AWS Secrets Manager, including KMS key creation, secret management, and IAM policy configuration
Security assessment
The changes introduce security best practices for credential management by recommending Secrets Manager instead of plaintext storage. While this improves security posture, there's no evidence of addressing a specific existing vulnerability. The documentation adds guidance about security features like encryption, access control, and credential rotation.
Diff
diff --git a/fsx/latest/ONTAPGuide/self-managed-AD-best-practices.md b/fsx/latest/ONTAPGuide/self-managed-AD-best-practices.md index b90e2d511..cbc45767f 100644 --- a//fsx/latest/ONTAPGuide/self-managed-AD-best-practices.md +++ b//fsx/latest/ONTAPGuide/self-managed-AD-best-practices.md @@ -5 +5 @@ -Delegating permissions to your Amazon FSx service accountKeep an AD configuration updatedLimit traffic within a VPC with security groupsCreating outbound security group rules +Delegating permissions to your Amazon FSx service accountKeep an AD configuration updatedLimit traffic within a VPC with security groupsCreating outbound security group rulesStoring Active Directory credentials using AWS Secrets Manager @@ -10,0 +11,15 @@ Here are some suggestions and guidelines that you should consider when joining A +###### Topics + + * Delegating permissions to your Amazon FSx service account + + * Keeping your Active Directory configuration updated with Amazon FSx + + * Using security groups to limit traffic within your VPC + + * Creating outbound security group rules for your file system's network interface + + * Storing Active Directory credentials using AWS Secrets Manager + + + + @@ -81,0 +97,333 @@ For greater security, consider configuring a security group with outbound traffi +## Storing Active Directory credentials using AWS Secrets Manager + +You can use AWS Secrets Manager to securely store and manage your Microsoft Active Directory domain join service account credentials. This approach eliminates the need to store sensitive credentials in plaintext in application code or configuration files, strengthening your security posture. + +You can also configure IAM policies to manage access to your secrets, and set up automatic rotation policies for your passwords. + +#### Step 1: Create a KMS key + +Create a KMS key to encrypt and decrypt your Active Directory credentials in Secrets Manager. + +###### To create a key + +###### Note + +For **Encryption Key** , create a new key, don't use the AWS default KMS key. Be sure to create the AWS KMS key in the same Region that contains the SVM that you want to join to your Active Directory. + + 1. Open the AWS KMS console at https://console.aws.amazon.com/kms. + + 2. Choose **Create key**. + + 3. For **Key Type** , choose **Symmetric**. + + 4. For **Key Usage** , choose **Encrypt and decrypt**. + + 5. For **Advanced options** , do the following: + + 1. For **Key material origin** , choose **KMS**. + + 2. For **Regionality** , choose **Single-Region key** and choose **Next**. + + 6. Choose **Next**. + + 7. For **Alias** , provide a name for the KMS key. + + 8. (Optional) For **Description** , provide a description of the KMS key. + + 9. (Optional) For **Tags** , provide a tag for the KMS key and choose **Next**. + + 10. (Optional) For **Key administrators** , provide the IAM users and roles authorized to manage this key. + + 11. For **Key deletion** , keep the box selected for **Allow key administrators** to delete this key and choose **Next**. + + 12. (Optional) For **Key users** , provide the IAM users and roles authorized to use this key in cryptographic operations. Choose **Next**. + + 13. For **Key policy** , choose **Edit** and include the following to the policy **Statement** to allow Amazon FSx to use the KMS key and choose **Next**. Make sure to replace the `us-west-2` to the AWS Region where the file system is deployed and `123456789012` to your AWS account ID. + + { + "Sid": "Allow FSx to use the KMS key", + "Version": "2012-10-17", + "Effect": "Allow", + "Principal": { + "Service": "fsx.amazonaws.com" + }, + "Action": [ + "kms:Decrypt", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:us-west-2:123456789012:key:*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:*", + "kms:ViaService": "secretsmanager.us-west-2.amazonaws.com", + "aws:SourceAccount": "123456789012" + }, + "ArnLike": { + "aws:SourceArn": [ + "arn:aws:fsx:us-west-2:123456789012:file-system/*", + "arn:aws:fsx:us-west-2:123456789012:storage-virtual-machine/fs-*/svm-*" + ] + } + } + } + + 14. Choose **Finish**. + + + + +###### Note + +You can set more granular access control by modifying the `Resource` and `aws:SourceArn` fields to target specific secrets and file systems. + +#### Step 2: Create an AWS Secrets Manager secret + +###### To create a secret + + 1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/). + + 2. Choose **Store a new secret**. + + 3. For **Secret type** , choose **Other type of secret**. + + 4. For **Key/value pairs** , do the following to add your two keys: + + 1. For the first key, enter `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_USERNAME`. + + 2. For the value of the first key, enter only the username (without the domain prefix) of the AD user. + + 3. For the second key, enter `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_PASSWORD`. + + 4. For the value of the second key, enter the password that you created for the AD user on your domain. + + 5. For **Encryption key** , enter the ARN of the KMS key that you created in a previous step and choose **Next**. + + 6. For **Secret name** , enter a descriptive name that helps you find your secret later. + + 7. (Optional) For **Description** , enter a description for the secret name. + + 8. For **Resource permission** , choose **Edit**. + +Add the following policy to the permission policy to allow Amazon FSx to use the secret, then choose **Next**. Make sure to replace the `us-west-2` to the AWS Region where the file system is deployed and `123456789012` to your AWS account ID. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "fsx.amazonaws.com" + }, + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + }, + "ArnLike": { + "aws:SourceArn": [ + "arn:aws:fsx:us-west-2:123456789012:file-system/*", + "arn:aws:fsx:us-west-2:123456789012:storage-virtual-machine/fs-*/svm-*" + ] + } + } + } + ] + } + + 9. (Optional) You can configure Secrets Manager to rotate your credentials automatically. Choose **Next**. + + 10. Choose **Finish**. + + + + +#### Step 1: Create a KMS key + +Create a KMS key to encrypt and decrypt your Active Directory credentials in Secrets Manager. + +To create a KMS key, use the AWS CLI command [create-key](https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html). + +In this command, set the `--policy` parameter to specify the key policy that defines permissions for the KMS key. The policy must include the following: + + * The service principal for Amazon FSx, which is `fsx.amazonaws.com`. + + * Required KMS actions: `kms:Decrypt` and `kms:DescribeKey`. + + * Resource ARN pattern for your AWS Region and account. + + * Condition keys that restrict key usage: + + * `kms:ViaService` to ensure requests come through Secrets Manager. + + * `aws:SourceAccount` to limit to your account. + + * `aws:SourceArn` to restrict to specific Amazon FSx file systems. + + + + +The following example creates a symmetric encryption KMS key with a policy that allows Amazon FSx to use the key for decryption and key description operations. The command automatically retrieves your AWS account ID and Region, then configures the key policy with these values to ensure proper access controls between Amazon FSx, Secrets Manager, and the KMS key. Make sure your AWS CLI environment is in the same region as the SVM that will join the Active Directory. + + + # Set region and get Account ID