iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The Docker Swarm mode uses an auto-lock feature to protect the manager node's Raft log. The auto-lock key is critical for securing access to the Raft log and preventing unauthorized access to sensitive swarm data. This key must be rotated periodically to ensure that any potential exposure of the key does not persist.

Rationale:

Rotating the auto-lock key periodically reduces the risk of unauthorized access and ensures that if a key is compromised, it does not remain valid indefinitely. By rotating the key, you maintain the integrity and security of the swarm manager.

Impact:

Pros:

• Ensures continuous security by reducing the window of opportunity for attackers.
  

• Protects sensitive information within the Docker Swarm Raft log.
  

Cons:

• Requires regular maintenance and operational overhead to manage key rotation schedules.
  

• May require coordination across multiple team members to avoid disruptions.
  

Default Value:

By default, the auto-lock key is set at the time the swarm is initialized, and it does not rotate automatically unless explicitly configured.

Pre-requisites:

• Docker Swarm should be initialized.
  

• Access to the Swarm manager node with administrative privileges.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running the Docker Swarm manager.
   

2. Run the following command to check the current auto-lock key status:
   

docker swarm unlock-key

3. Review the current key and confirm if it has been rotated recently.
   

Using AWS CLI:

1. Connect to the EC2 instance running the Docker Swarm manager.
   

2. Run the following command to check the current auto-lock key status:
   

docker swarm unlock-key

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance running the Docker Swarm manager.
   

2. Run the following command to rotate the auto-lock key:
   

docker swarm unlock-key --rotate

3. Store the new key securely and ensure that all necessary team members have access to it.
   

Using AWS CLI:

1. Use SSM to remotely rotate the auto-lock key on the Docker Swarm manager.
   

2. Run the following command to rotate the auto-lock key:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm unlock-key --rotate"]'

Backout Plan:

Using AWS Console:

1. If an issue arises, you can revert to the old auto-lock key if necessary.
   

2. Run the following command to unlock the swarm with the previous key:
   

docker swarm unlock --key <old_key>

Using AWS CLI:

1. Use SSM to revert to the previous auto-lock key.
   

2. Run the following command to unlock the swarm with the previous key:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm unlock --key <old_key>"]'

References:

• Docker Swarm Auto-Lock Documentation

• Docker Secret Management