search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 433 forks source link

Support AWS IAM Authentication for Elasticache Redis Cluster #20527

Open ChefAustin opened 4 months ago

ChefAustin commented 4 months ago

Problem

[ Along in the lines of #1817 ]

As an infrastructure engineer, I want to enable AWS IAM authentication for the Elasticache Redis cluster in Fleet so that I can enhance the security model and simplify administrative tasks.

Infrastructure engineers managing the Fleet deployment need to secure their Elasticache Redis clusters. The current methods—unauthenticated connections or username/password—pose security risks and administrative burdens. Integrating AWS IAM authentication would provide a more secure and manageable solution by leveraging short-lived tokens instead of long-lived credentials.

What have you tried?

Having looked through Fleet Server Configuration docs, this authentication method does not seem to be achievable in Fleet's current state.

Potential solutions

Use the existing IAM authentication implementation for Firehose as a loose guide for implementing this with Elasticache Redis.

Acceptance Criteria

  1. Authentication Method: • Fleet should support AWS IAM authentication for connecting to Elasticache Redis clusters. • The implementation should leverage the AWS SDK to obtain short-lived tokens for authentication.
  2. Configuration: • Provide configuration options in Fleet for enabling AWS IAM authentication for Redis clusters. • Documentation should guide users on how to configure IAM roles and policies for Elasticache access.
  3. Security: • Ensure that the IAM authentication process adheres to AWS security best practices. • Validate that short-lived tokens are used and managed appropriately, reducing the risk associated with static credentials.
  4. Documentation and Error Handling: • Update Fleet’s documentation to include steps for setting up IAM authentication with Elasticache. • Include common error messages and troubleshooting steps related to IAM authentication.
  5. Compatibility: • Ensure the implementation is compatible with existing Fleet deployments that use unauthenticated connections or username/password.

Additional Information

• Known limitations and considerations for IAM authentication with Elasticache Redis can be found here: AWS ElastiCache IAM Authentication Limits.

What is the expected workflow as a result of your proposal?

Create an AWS IAM Role with the necessary permissions to communicate with Elasticache Redis, configure FLEET_REDIS_ADDRESS & FLEET_REDIS_ASSUME_ROLE_ARN and let AWS SDK do the rest.

noahtalerman commented 4 months ago

Hey @ChefAustin! Sorry for the delayed response.

If I'm understanding correctly, Fleet today supports basic auth (username + pwd) for Redis (Redis server config here).

Basic auth isn't good enough.

We could base new Redis config options off of the existing Firehose config options here.

Sounds like the right summary?

Also, we would definitely be open to reviewing / helping with a PR to add this config. Let us know how we can help!

In the meantime, the plan is to weigh this request at the next feature fest on 2024-08-01.

ChefAustin commented 4 months ago

@noahtalerman Summary sounds correct to me.

JoStableford commented 4 months ago

Related to a Slack conversation

JoStableford commented 3 weeks ago

Linked to Unthread ticket:

Request for context on internal Slack conversation about IAM auth for Elasticache Redis Cluster #3554)