Profile Applicability:
Level 1
Description:
Docker's secret management system ensures that sensitive data like passwords and API keys are handled securely within a swarm cluster. It allows secrets to be created, stored, and accessed securely, ensuring that secrets are never exposed in plain text within containers.
Rationale:
Managing secrets directly through Docker’s secret management system provides a more secure and auditable way to handle sensitive data, preventing it from being exposed in Dockerfiles or environment variables.
Impact:
Pros:
Enhances security by securely storing secrets.
Reduces the risk of secrets being accidentally exposed or leaked.
Cons:
Requires configuration and management of secrets within the Docker environment.
Default Value:
By default, Docker does not use secret management. Secrets must be created and managed manually.
Pre-requisites:
Docker Swarm mode should be enabled.
Administrative privileges to manage Docker secrets.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instance running Docker.
Ensure that Docker Swarm is initialized by running:
docker info | grep Swarm
Verify that Docker secrets are being used by listing available secrets:
docker secret ls
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check if Docker secrets are in use:
docker secret ls
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Initialize Docker Swarm if not already done:
docker swarm init
Create a Docker secret:
echo "my_secret_password" | docker secret create my_secret_password -
Verify that the secret is listed:
docker secret ls
Using AWS CLI:
Use SSM to create a Docker secret remotely:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"my_secret_password\" | docker secret create my_secret_password -"]'
Backout Plan:
Using AWS Console:
Connect to the EC2 instance.
Remove the Docker secret:
docker secret rm my_secret_password
Using AWS CLI:
Use SSM to remove the Docker secret:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker secret rm my_secret_password"]'
References:
Docker Secret Management