Profile Applicability:

  • Level 1

Description:

Docker's secret management system ensures that sensitive data like passwords and API keys are handled securely within a swarm cluster. It allows secrets to be created, stored, and accessed securely, ensuring that secrets are never exposed in plain text within containers.

Rationale:

Managing secrets directly through Docker’s secret management system provides a more secure and auditable way to handle sensitive data, preventing it from being exposed in Dockerfiles or environment variables.

Impact:

Pros:

  • Enhances security by securely storing secrets.

  • Reduces the risk of secrets being accidentally exposed or leaked.

Cons:

  • Requires configuration and management of secrets within the Docker environment.

Default Value:

By default, Docker does not use secret management. Secrets must be created and managed manually.

Pre-requisites:

  • Docker Swarm mode should be enabled.

  • Administrative privileges to manage Docker secrets.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.

  2. Ensure that Docker Swarm is initialized by running:

docker info | grep Swarm

  1. Verify that Docker secrets are being used by listing available secrets:

docker secret ls

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check if Docker secrets are in use:

docker secret ls

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Initialize Docker Swarm if not already done:

docker swarm init
  1. Create a Docker secret:

echo "my_secret_password" | docker secret create my_secret_password -
  1. Verify that the secret is listed:

docker secret ls

Using AWS CLI:

  1. Use SSM to create a Docker secret remotely:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"my_secret_password\" | docker secret create my_secret_password -"]'

Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.

  2. Remove the Docker secret:

docker secret rm my_secret_password

Using AWS CLI:

  1. Use SSM to remove the Docker secret:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker secret rm my_secret_password"]'

References: