05/21/2024 | News release | Distributed by Public on 05/21/2024 06:13
Ensuring appropriate access management is a critical component of any effective cloud security strategy. Take this real-world scenario, for example.
Prisma Cloud™ exposes an API and allows users to interact with it to enable different programmatic integrations with external technology, such as having Prisma Cloud perform code scanning in the CI/CD pipeline.
Doing this would require the code scanning plugin (Checkov) to connect back to Prisma Cloud, which would require the plugin to pass the appropriate credentials. Administrators don't want to have to provide user credentials each time the pipeline runs, so to avoid that they'd create Prisma Cloud Service Accounts to automate the process and enable a nonhuman entity to interact programmatically with the Prisma Cloud APIs.
Service accounts differ from user accounts in that they don't need an email address associated with them and don't need to be validated or activated in an external system before they're used. You can scope them to specific RBAC roles and policies. Prisma Cloud Service Accounts do not use passwords to allow users to interact with the system. Instead, they use access keys. Prisma Cloud Access Keys are a secure way to enable programmatic access to the Prisma Cloud API, if you are setting up an external integration or automation.
A common security best practice is to have an access key rotation policy in place to limit the lifetime of static access keys and reduce risk to the organization if exposed. The general rule is to create access keys for a limited time period and regenerate API keys periodically. Chances are your organization already has rules around access keys in your CSP.
But how do we deal with rotating access keys for our different Service Accounts? You can do it manually, creating a new key in the console then updating the automation process that uses it. But doing it this way can be tedious, error prone, and it doesn't scale well. A better approach is to use automation to manage these keys. Prisma Cloud allows you to programmatically create and manage access keys.
There are multiple ways to achieve the secure storage and rolling of Prisma Cloud access keys. This post will explore practical examples in AWS, Azure, GCP and GitHub.
In general, to automate the management of access keys you'll need to accommodate several requirements:
Let's look at the end-to-end process in more detail:
We created a sample repository with code and instructions to help you get started in AWS, Azure, GCP and GitHub. Each solution follows the same general procedure described above. We'll walk through the specific implementation below, but there are some general notes that apply to all:
AWS provides multiple services to securely store and access secrets. The example solution will make use of AWS Secrets Manager as it includes a native integration with AWS Lambda to help facilitate managing credential expiry and refresh.
The sample workflow will perform the following actions:
For more details on how to deploy in your environment, review the procedure with the README in the "aws" folder within the git repository here.
Azure credentials can be stored and accessed securely using Azure Key Vault. Additionally, Azure Key Vault will keep track of expiration dates and send events to the Event Grid based on that. The events in turn can trigger a Function App that connects to Prisma Cloud and then issues the appropriate API calls to generate a new key.
The sample workflow will perform the following actions:
For more details on how to deploy in your environment, review the procedure with the README in the "azure" folder within the git repository here.
The sample workflow will perform the following actions:
For more details on how to deploy in your environment, review the procedure with the README in the "gcp" folder within the git repository here.
Secrets allow you to store sensitive information in your organization, repository or repository environments. Secrets are variables that are securely stored and accessed within the organization or within a specific repository. These secrets can then be used by GitHub Actions. GitHub only provides for read access to Secrets; however, a custom Action can be created to make use of the GitHub API to update repository secrets.
The sample workflow will perform the following actions:
For more details on how to deploy in your environment, review the procedure with the README in the "github" folder within the git repository here.
This general solution covers rotating access keys for a Service Account. The solution can be coupled with out-of-the-box functionality within Prisma Cloud to provide a more robust security posture surrounding access keys. Prisma Cloud provides two native capabilities to help manage the expiry of access keys.
Use the Access Key Maximum Validity settings to establish the platform limit for the maximum number of days for access key validity. This setting ensures compliance with your organization's policy by placing a hard limit on the number of days a key can be valid for.
To ensure uninterrupted access to Prisma Cloud APIs, you can also set Access Key Expiration Notifications. There are two types of notifications for access key expiration - user notifications (for named User access keys) and alarm center notifications (for Service Account access keys). When User notifications are selected, Prisma Cloud will send an email to the user. When Service Account notifications are selected, Prisma Cloud will generate an alert within the alarm center. You can set up notifications for alarms (for example - trigger emails, messages in Splunk, and various other channels) using the procedure here.
You can use this process as a guide to roll keys for all of your Service Accounts. However, we recommend caution when implementing an automatic key rotation process in several different scenarios.
You can also use Service Accounts for external integrations, such as the pull-based integration with Cortex XSOAR™ or Cortex Xpanse™. While you should have a key rotation strategy in place for these types of integrations, the process described below may not be the best fit. When the key is rotated it will need to be updated in the respective integration's console.
User accounts can also create access keys, which need to be periodically renewed. These can be used for custom scripts and IDE integrations, both of which will typically need to be manually updated if the key is rotated.
Organizations typically have a policy against long-lived static access keys, and to help maintain compliance and security posture it is important to have an access key rotation policy in place to limit the lifetime of static access keys. We presented a general workflow and gave some specific examples and samples for different access key management solutions.
As a next step - try our solution out for yourself! Here's a GitHub repository with sample code and instructions that you can use to get started creating your own automated key rotation process. Please note that the sample was only intended as a guide; feel free to customize it to meet the needs of your organization.
What's next for us? We're working on a custom plugin with HashiCorp Vault - check back again soon.
If you found your way here but don't currently use Prisma Cloud, we invite you to take it for a test drive. Discover how Prisma Cloud can evaluate the security posture of your cloud estate with a free 30-day trial.