Operate Efficiently and Securely: Rotating Prisma Cloud Access Keys

May 21, 2024
11 minutes
... views

Ensuring appropriate access management is a critical component of any effective cloud security strategy. Take this real-world scenario, for example.

Prisma Cloud™ exposes an API and allows users to interact with it to enable different programmatic integrations with external technology, such as having Prisma Cloud perform code scanning in the CI/CD pipeline.

Doing this would require the code scanning plugin (Checkov) to connect back to Prisma Cloud, which would require the plugin to pass the appropriate credentials. Administrators don’t want to have to provide user credentials each time the pipeline runs, so to avoid that they’d create Prisma Cloud Service Accounts to automate the process and enable a nonhuman entity to interact programmatically with the Prisma Cloud APIs.

Service accounts differ from user accounts in that they don’t need an email address associated with them and don’t need to be validated or activated in an external system before they’re used. You can scope them to specific RBAC roles and policies. Prisma Cloud Service Accounts do not use passwords to allow users to interact with the system. Instead, they use access keys. Prisma Cloud Access Keys are a secure way to enable programmatic access to the Prisma Cloud API, if you are setting up an external integration or automation.

A common security best practice is to have an access key rotation policy in place to limit the lifetime of static access keys and reduce risk to the organization if exposed. The general rule is to create access keys for a limited time period and regenerate API keys periodically. Chances are your organization already has rules around access keys in your CSP.

But how do we deal with rotating access keys for our different Service Accounts? You can do it manually, creating a new key in the console then updating the automation process that uses it. But doing it this way can be tedious, error prone, and it doesn’t scale well. A better approach is to use automation to manage these keys. Prisma Cloud allows you to programmatically create and manage access keys.

There are multiple ways to achieve the secure storage and rolling of Prisma Cloud access keys. This post will explore practical examples in AWS, Azure, GCP and GitHub.

Automating the Management of Access Keys

In general, to automate the management of access keys you’ll need to accommodate several requirements:

  • The Prisma Cloud access keys will need secure, accessible storage
  • The solution should be able to define the expiration policy and track the expiration date of the access key and ensure that the key is rolled when necessary
  • To periodically roll the key, a workflow or process will have to be run
  • Outside workflows will need a way to securely (and programmatically) retrieve the keys when needed
Figure 1. General Solution Diagram
Figure 1. General Solution Diagram

Let’s look at the end-to-end process in more detail:

  1. A request to roll the access key can be triggered off the key expiration date (e.g., a time-based event), or...
  2. A request to roll the access key can be triggered by an administrator
  3. The request workflow is handled by the corresponding secrets storage utility (the “vault”)
  4. The vault authenticates to Prisma Cloud using the current access key and requests a new access key
  5. The new access key is sent back to the vault and securely stored
  6. Upstream processes interact with the vault and retrieve the latest Prisma Cloud access key

Implementing Access Keys for a Service Account

We created a sample repository with code and instructions to help you get started in AWS, Azure, GCP and GitHub. Each solution follows the same general procedure described above. We’ll walk through the specific implementation below, but there are some general notes that apply to all:

  • Prisma Cloud allows Service Accounts to have up to two access keys. If the key is not in the vault, it will be deleted; if it is in the vault, it will be deactivated when the new one is created.
  • Prisma Cloud allows Service Accounts to manage their own keys. Because of that, a secondary key, such as for an administrator, is not required.
  • If a failure happens, the solution should try to roll back changes. It’s not possible to undelete an access key nor is it possible to reactivate a key once it’s been made inactive. Aside from that, the solution should restore the non-expired key to its original state in Prisma Cloud and within the vault.
  • Any required infrastructure will be deployed with Terraform
  • Each solution will require an existing Service Account and a valid access key
  • The access key will be used as input to the process and automatically rolled.
  • The examples make use of the prismacloud-cli to do some of the heavy lifting for the interaction with the Prisma Cloud API. Please consider contributing.

AWS

Figure 2. Service Account access key rolling with AWS Secrets Manager
Figure 2. Service Account access key rolling with AWS Secrets Manager

AWS provides multiple services to securely store and access secrets. The example solution will make use of AWS Secrets Manager as it includes a native integration with AWS Lambda to help facilitate managing credential expiry and refresh.

The sample workflow will perform the following actions:

  1. A request to roll the access key can be triggered off of the key expiration date (e.g., a time-based event), or...
  2. A request to roll the access key can be triggered by an administrator
  3. AWS Secrets Manager initiates the credential update
  4. AWS Secrets Manager will call AWS Lambda to request a new credential. Note that there are actually multiple calls to AWS Lambda for this event. They are explained in more detail here.
  5. AWS Lambda will make a request to Prisma Cloud to create a new access key
  6. Prisma Cloud returns the access key back to AWS Lambda
  7. AWS Lambda updates the secret in AWS Secrets Manager
  8. Upstream processes interact with the AWS Secrets Manager and retrieve the latest Prisma Cloud access key stored in the secret.

For more details on how to deploy in your environment, review the procedure with the README in the “aws” folder within the git repository here.

Azure

Figure 3. Service Account access key rolling with Azure Key Vault
Figure 3. Service Account access key rolling with Azure Key Vault

Azure credentials can be stored and accessed securely using Azure Key Vault. Additionally, Azure Key Vault will keep track of expiration dates and send events to the Event Grid based on that. The events in turn can trigger a Function App that connects to Prisma Cloud and then issues the appropriate API calls to generate a new key.

The sample workflow will perform the following actions:

  1. A Service Account access key is stored in the Key Vault
  2. The Key Vault will send a “near expiry” event to the Event Grid at a specified number of days ahead of the key expiration.
  3. A Function App will subscribe to the Event Grid and trigger based on the event.
  4. Optionally, an administrator can trigger the Function App to initiate the process to rotate the keys.
  5. The Function App will request a new Service Account Access Key from Prisma Cloud
  6. The new access key is generated
  7. The new key is stored in the Key Vault.
  8. Upstream processes interact with the Azure Key Vault and retrieve the latest Prisma Cloud access key.

For more details on how to deploy in your environment, review the procedure with the README in the “azure” folder within the git repository here.

Google Cloud

Figure 4. Service Account access key rolling with Google Cloud Secret Manager
Figure 4. Service Account access key rolling with Google Cloud Secret Manager

The sample workflow will perform the following actions:

  1. A Service Account access key is stored in the Secret Manager
  2. The Key Vault will send a rotation event to a PubSub topic at a specified number of days ahead of the key expiration.
  3. Optionally, an administrator can send an event to the topic to initiate the process to rotate the keys.
  4. A Cloud Function will subscribe to the topic and trigger based on the event.
  5. The Cloud Function will request a new Service Account Access Key from Prisma Cloud
  6. The new access key is generated
  7. The new key is stored in the Secret Manager
  8. Upstream processes interact with Secret Manager and retrieve the latest Prisma Cloud access key.

For more details on how to deploy in your environment, review the procedure with the README in the “gcp” folder within the git repository here.

GitHub

Figure 5. Service Account access key rolling with Google Cloud Secret Manager
Figure 5. Service Account access key rolling with Google Cloud Secret Manager

Secrets allow you to store sensitive information in your organization, repository or repository environments. Secrets are variables that are securely stored and accessed within the organization or within a specific repository. These secrets can then be used by GitHub Actions. GitHub only provides for read access to Secrets; however, a custom Action can be created to make use of the GitHub API to update repository secrets.

The sample workflow will perform the following actions:

  1. A request to roll the access key can be triggered off of a cron schedule
  2. Optionally, a request to roll the access key can be triggered by an administrator
  3. A GitHub Action workflow will launch
  4. The current access key will be retrieved from the GitHub Repository Secrets store
  5. The workflow will request a new Service Account Access Key from Prisma Cloud
  6. The new access key is generated
  7. The new key is stored in the GitHub Repository Secrets store
  8. Upstream processes interact with Secret Manager and retrieve the latest Prisma Cloud access key.

For more details on how to deploy in your environment, review the procedure with the README in the “github” folder within the git repository here.

Managing the Expiration of Access Keys

This general solution covers rotating access keys for a Service Account. The solution can be coupled with out-of-the-box functionality within Prisma Cloud to provide a more robust security posture surrounding access keys. Prisma Cloud provides two native capabilities to help manage the expiry of access keys.

Access Key Maximum Validity

Use the Access Key Maximum Validity settings to establish the platform limit for the maximum number of days for access key validity. This setting ensures compliance with your organization’s policy by placing a hard limit on the number of days a key can be valid for.

Access Key Expiration Notifications

To ensure uninterrupted access to Prisma Cloud APIs, you can also set Access Key Expiration Notifications. There are two types of notifications for access key expiration - user notifications (for named User access keys) and alarm center notifications (for Service Account access keys). When User notifications are selected, Prisma Cloud will send an email to the user. When Service Account notifications are selected, Prisma Cloud will generate an alert within the alarm center. You can set up notifications for alarms (for example - trigger emails, messages in Splunk, and various other channels) using the procedure here.

Exercise Caution with Automatic Key Rotation

You can use this process as a guide to roll keys for all of your Service Accounts. However, we recommend caution when implementing an automatic key rotation process in several different scenarios.

External Integrations

You can also use Service Accounts for external integrations, such as the pull-based integration with Cortex XSOAR™ or Cortex Xpanse™. While you should have a key rotation strategy in place for these types of integrations, the process described below may not be the best fit. When the key is rotated it will need to be updated in the respective integration’s console.

User Access Keys

User accounts can also create access keys, which need to be periodically renewed. These can be used for custom scripts and IDE integrations, both of which will typically need to be manually updated if the key is rotated.

Next Steps

Organizations typically have a policy against long-lived static access keys, and to help maintain compliance and security posture it is important to have an access key rotation policy in place to limit the lifetime of static access keys. We presented a general workflow and gave some specific examples and samples for different access key management solutions.

As a next step - try our solution out for yourself! Here’s a GitHub repository with sample code and instructions that you can use to get started creating your own automated key rotation process. Please note that the sample was only intended as a guide; feel free to customize it to meet the needs of your organization.

What’s next for us? We’re working on a custom plugin with HashiCorp Vault - check back again soon.

If you found your way here but don’t currently use Prisma Cloud, we invite you to take it for a test drive. Discover how Prisma Cloud can evaluate the security posture of your cloud estate with a free 30-day trial.

 

 

 


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.