Step 3 - Create secrets in Secrets Manager
    • PDF

    Step 3 - Create secrets in Secrets Manager

    • PDF

    Article summary

    To enable Glasswall Halo's access to the S3 bucket (s3name) that contains the CDR reports, an IAM user and role is required.

    • Create an IAM user (external_secrets_iam_user) and assign a role (external_secrets_iam_role) with policy that allows read and write on the S3 bucket which will store the CDR reports. This bucket should have been created in the Prerequisites step.
    • Create AWS_ACCESS_KEY_ID secret that stores the IAM user access key ID.
    • Create AWS_SECRET_ACCESS_KEY secret that stores the IAM user Secret access key.

    3.1 - MongoDB connection string

    To enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, the MongoDB connection string should be created in the Secrets Manager

    • Retrieve the DocumentDB connection string (MongoDB compatible) from the AWS Console as shown in the example below.
    mongodb://${username}:${password}@${endpoint}:${port}/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false
    
    • Enter your connection string (highlighted in the screenshot) by replacing ${mongodb_connstring}, and enter your AWS region by replacing ${region} (as below).
    aws secretsmanager create-secret --name "mongodb-connectionstring" --secret-string "${mongodb_connstring}" --region "${region}"
    

    Add the MongoDB passwords to AWS Secret Manager as a secret

    Note: if you have previously configured and setup MongoDB within AWS and have created your MongoDB connection string as listed above, you can skip this step.

    If not, to enable Glasswall Halo's Policy API to create and manage the policies in MongoDB, and Asynchronous API to create and manage the requests, MongoDB needs to be deployed using Helm charts listed in Step 8. 

    Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in the Vault secret. 

    Sensitive data, such as passwords, should be stored as key-value pairs in JSON format in the Vault secret.

    aws secretsmanager create-secret --name "mongodb-cdrp-password" --secret-string "<cdrp-user-password>" --region "${region}"
    aws secretsmanager create-secret --name "mongodb-admin-password" --secret-string "<admin-user-password>" --region "${region}"

    3.2 - Amazon DocumentDB Certificate Authority (CA)

    For the cdrplatform-policy-api service to successfully authenticate to MongoDB, it should trust the Amazon DocumentDB Certificate Authority.

    • Create a secret called cdrp-rds-ca-bundle in Secrets Manager and add the content of the Certificat
      aws secretsmanager create-secret  --name "halo-reversinglabs-username" --secret-string "${reversinglabs_username}" --region "${region}"
      aws secretsmanager create-secret  --name "halo-reversinglabs-password" --secret-string "${reversinglabs_password}" --region "${region}"
      e Authority provided by Amazon.

    3.3 - Menlo API Key

    To enable API key based authentication in Menlo API, add a secret menlo-api-key with an API key you would like to use.

    aws secretsmanager create-secret  --name "menlo-api-key" --secret-string "<strong-api-key>" --region "${region}"

    3.4 - [Optional] Add ReversingLabs credentials

    To integrate the Halo with Reversing Labs, add the credentials of the Reversing Labs to the AWS Secrets Manager. Replace `${reversinglabs_username}` and `${reversinglabs_password}` with actual username and password.

    aws secretsmanager create-secret  --name "halo-reversinglabs-username" --secret-string "${reversinglabs_username}" --region "${region}"
    aws secretsmanager create-secret  --name "halo-reversinglabs-password" --secret-string "${reversinglabs_password}" --region "${region}"

    3.5 - [Optional] Add ICAP MTLS certificates

    ICAP servers can be configured for mutual client authentication using the MTLS certificates. The certificates will be mounted to the ICAP server pods using the Kubernetes secrets. Add the server certificates and certificate authority to the AWS secrets manager so that they can be synced to Kubernetes secrets.

    aws secretsmanager create-secret --name "tls-server-cert" --region "${region}" --secret-string <file://path/to/mtls-server-cert.pem>
    aws secretsmanager create-secret --name "tls-server-key" --region "${region}" --secret-string <file://path/to/mtls-server-key.pem>
    aws secretsmanager create-secret --name "tls-cafile" --region "${region}" --secret-string <file://path/to/mtls-ca-cert.pem>

     


    Was this article helpful?