Step 3 - Create secrets in Secrets Manager
To enable Glasswall Halo's access to the S3 bucket (s3name) That contains the CDR reports, an iam user and role is required.
-
Create an IAM user (
external_secrets_iam_user) And assign a role (external_secrets_iam_role) With policy that allows read and write on the s3 bucket which will store the CDR reports. this bucket should have been created in the prerequisites step. -
Create
AWS_ACCESS_KEY_IDSecret that stores the iam user access key id. -
Create
AWS_SECRET_ACCESS_KEYSecret that stores the iam user secret access key.
3.1 - MongoDB connection string
To enable the Glasswall Halo Policy Management API to create and manage policies in MongoDB, store the MongoDB connection string in AWS Secrets Manager.
- You can retrieve the DocumentDB MongoDB compatible connection string from the AWS Console, as shown in the example below.
mongodb://${username}:${password}@${endpoint}:${port}/?ssl=true&ssl_ca_certs=rds->combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false
- Enter your connection string (highlighted in the screenshot) by replacing
${mongodb_connstring}, and enter your AWS region by replacing${region}(as below).
aws secretsmanager create-secret --name "mongodb-connectionstring" --secret-string >"${mongodb_connstring}" --region "${region}"
Add the MongoDB passwords to AWS Secret Manager as a secret
Note: if you have previously configured and setup MongoDB within AWS and have created your MongoDB connection string as listed above, you can skip this step.
If not, to enable Glasswall Halo's Policy Management API to create and manage the policies in MongoDB, and Asynchronous API to create and manage the requests, MongoDB needs to be deployed using Helm charts listed in Step 8.
Two users will be created by the MongoDB Helm chart and the corresponding user's password needs to be set in the Key Vault secret.
Sensitive data, such as passwords, should be in the AWS Secrets Manager.
aws secretsmanager create-secret --name "mongodb-cdrp-password" --secret-string "<cdrp-user-password>" --region "${region}"
aws secretsmanager create-secret --name "mongodb-admin-password" --secret-string "<admin-user-password>" --region "${region}"
3.2 - Amazon DocumentDB Certificate Authority (CA)
For the cdrplatform-policy-API service to successfully authenticate to MongoDB, it should trust the Amazon DocumentDB Certificate Authority.
- Create a secret called
cdrp-rds-ca-bundlein Secrets Manager and add the content of the certificate authority provided by Amazon.
3.3 - [Optional] Add ReversingLabs credentials
To integrate Glasswall Halo with ReversingLabs, store the ReversingLabs credentials in AWS Secrets Manager.
Replace $reversinglabs_username and $reversinglabs_password with the actual username and password.
aws secretsmanager create-secret --name "halo-reversinglabs-username" --secret-string "${reversinglabs_username}" --region "${region}"
aws secretsmanager create-secret --name "halo-reversinglabs-password" --secret-string "${reversinglabs_password}" --region "${region}"
3.4 - [Optional] Add ICAP MTLS certificates
ICAP servers can be configured for mutual client authentication using the MTLS certificates. The certificates will be mounted to the ICAP server pods using the Kubernetes secrets.
Add the server certificates and certificate authority to the AWS Secrets Manager so that they can be synced to Kubernetes secrets.
aws secretsmanager create-secret --name "tls-server-cert" --region "$region" --secret-string <file://path/to/mtls-server-cert.pem>
aws secretsmanager create-secret --name "tls-server-key" --region "$region" --secret-string <file://path/to/mtls-server-key.pem>
aws secretsmanager create-secret --name "tls-cafile" --region "$region" --secret-string <file://path/to/mtls-ca-cert.pem>