A CloudFormation custom resource provider for managing secrets, private keys and EC2 key pairs.

One of the biggest problems I encounter in creating immutable infrastructures, is dealing with secrets. Secrets must always be different per environment and therefore parameterized. As we automated all the things passwords often end up in parameter files and have to pass them around to people and applications: This is not a good thing. With this Custom CloudFormation Resource we put an end to that. Secrets are generated, stored in the EC2 parameter store and access to the secrets can be controlled through security policies.

It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:

  DBPassword:
    Type: Custom::Secret
    Properties:
      Name: /demo/PGPASSWORD
      KeyAlias: alias/aws/ssm
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 30
      ReturnSecret: true
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /demo/PGPASSWORD.

If you need to access the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

  Database:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUserPassword: !GetAtt 'DBPassword.Secret'

In the same manner you can specify a RSA private key as a CloudFormation resource of the Custom::RSAKey:

  PrivateKey:
    Type: Custom::RSAKey
    Properties:
      Name: /demo/private-key
      KeyAlias: alias/aws/ssm
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a the newly generated private key can be found in the EC2 Parameter Store under the name /demo/private-key:

$ aws ssm get-parameter --name /demo/private-key --with-decryption --query Parameter.Value --output text

If you need to access the public key of the newly generated private key, you can reference it as the attribute PublicKey. Most likely, you would use this in the Custom::KeyPair resource, to create a EC2 key pair:

       KeyPair:
         Type: Custom::KeyPair
         DependsOn: CustomPrivateKey
         Properties:
           Name: CustomKeyPair
           PublicKeyMaterial: !GetAtt 'PrivateKey.PublicKey'
           ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

This will create the ec2 key pair for you named CustomKeyPair, based on the generated private key. Now private key is securely stored in the EC2 Parameter Store and the public key can be used to gain access to specific EC2 instances. See Amazon EC2 Key Pairs for more information.

To install these custom resources, type:

aws cloudformation create-stack \
       --capabilities CAPABILITY_IAM \
       --stack-name cfn-secret-provider \
       --template-body file://cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider 

This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-secret-provider-1.0.0.zip.

or use

To install the simple sample of the Custom Resource, type:

aws cloudformation create-stack --stack-name cfn-secret-provider-demo \
       --template-body file://cloudformation/demo-stack.yaml
aws cloudformation wait stack-create-complete  --stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameter --name /cfn-secret-provider-demo/demo/PGPASSWORD --with-decryption
aws ssm get-parameter --name /cfn-secret-provider-demo/demo/private-key  --with-decryption
aws ec2 --output text describe-key-pairs --key-names cfn-secret-provider-demo-custom-key-pair

With this solution:

• secrets are generated per environment
• always stored encrypted in the parameter store
• where access to the secrets is audited and controlled!