Profile Applicability:
Level 1
Description:
Node certificates in a Docker Swarm should be rotated periodically to ensure that they are up to date and secure. Docker Swarm relies on these certificates to authenticate nodes in the swarm cluster. Regular rotation helps maintain the integrity and security of the swarm infrastructure by preventing the use of outdated or compromised certificates.
Rationale:
Certificate rotation is critical in minimizing the risk of using compromised or stale certificates. Over time, certificates may be leaked, lost, or become vulnerable. Regular rotation ensures that the certificates remain valid and can be trusted.
Impact:
Pros:
Enhances security by ensuring that only current and valid certificates are in use.
Prevents the use of compromised certificates.
Cons:
Requires proper automation or manual intervention to rotate certificates without causing disruption to the services in the swarm.
Default Value:
By default, Docker Swarm manages certificates but does not automate their periodic rotation. Rotation must be configured manually or through automation tools.
Pre-requisites:
Docker Swarm must be running.
The user must have appropriate administrative access to the Docker Swarm and nodes.
Backup of certificates and key materials is recommended before performing certificate rotation.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instances hosting Docker Swarm nodes.
Review the node certificate expiration date by inspecting the certificate details stored in the Docker Swarm configuration.
Use the docker info command to check the certificate expiration status.
Using AWS CLI:
Connect to the EC2 instance where Docker Swarm is running.
Run the following command to check the status of Docker's TLS certificates:
docker info | grep "Swarm"
Implementation Plan:
Using AWS Console:
Rotate the Docker Swarm node certificates manually by executing the following steps:
On the manager node, run docker swarm ca --rotate to rotate the certificates.
Ensure all manager and worker nodes are rejoined with the updated certificates after rotation.
Monitor the swarm status and logs to verify that the rotation is successful and there are no disruptions in service.
Using AWS CLI:
Use the AWS CLI and Systems Manager to trigger certificate rotation across multiple nodes in the Docker Swarm cluster:
Run the following SSM command to rotate the certificate on all manager nodes:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm ca --rotate"]'
Verify the success of the rotation by checking the node certificates again.
Backout Plan:
Using AWS Console:
If the rotation causes issues, revert to the backup certificates stored before the rotation.
Manually reconfigure the swarm cluster using the original certificates.
Using AWS CLI:
Use SSM to revert to the original certificates if the rotation results in any issues:
Run the following command to restore the certificates:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm ca --restore"]'
References:
Docker Certificate Rotation Guide