Automating Amazon FSx for NetApp ONTAP password rotation with AWS Lambda

Data security is a top priority for customers using AWS cloud services. Based on customer input, AWS has “designed-in” methods enabling customers to automate common security workflows such as password rotation. The principals of this automation follows the AWS Well-Architected Framework which helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.

The AWS Well-Architected Framework is built on six pillars: operational excellence, reliability, performance efficiency, cost optimization, sustainability, and security. Amazon FSx for NetApp ONTAP is built on these principles, and security is a shared responsibility between Amazon and the user. Automating routine tasks is a best practice of the security pillar in the AWS Well-Architected Framework.

Automating the process of password rotation is important to help ensure data security. This post explains how to use AWS Lambda and AWS Secrets Manager to automate password rotation for Amazon FSx for NetApp ONTAP file system administrators. The default FSx for ONTAP file system administrator is ‘fsxadmin’. This account manages the entire file system and its resources, sets up Storage Virtual Machines (SVMs), and delegates SVM administration to SVM administrators.

Solution overview

AWS Lambda enables you to run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes. In this post, we’ll create an AWS Lambda function as shown in Figure 1: that automatically rotates passwords for the fsxadmin account on an individual file system. The pattern explained here also works for other administrative accounts, like ‘vsadmin’, which is used to manage SVMs. The AWS Lambda password policy from this post implements the following password characteristics based upon the GetRandomPassword API Call:

• A password length of sixteen characters.
• Randomly generated mix of uppercase, lowercase, numbers, and non-alphanumeric characters.

You can customize these parameters to meet your organization’s requirements for password length and complexity.

You can use AWS Secrets Manager password rotation services to automate password changes. Rotation is the process of periodically updating a secret. When you enable secret rotation, the credentials in the secret are automatically rotated by other AWS Services or AWS Lambda functions. In this post, we are using AWS Lambda to automate the process of rotating the secrets.

Figure 1: Architecture overview

Prerequisites

For this walkthrough, you should have the following prerequisites:

• An AWS account
• An FSx for ONTAP filesystem
• Ability to create AWS Identity and Access Management (IAM) Roles and Lambda functions
• Ability to access and retrieve AWS Secrets

Walkthrough

By using serverless computing capabilities of AWS Lambda, this solution executes code without the need to provision any compute resources. The Lambda is written in Python and is extensible to your organizational requirements. This GitHub repository provides a centralized location for code updates and maintaining both the AWS CloudFormation template and the AWS Lambda function. This Lambda is free to edit, for example you may wish to add methods such as Arrays or additional parameters with functions to have multiple file systems based upon your organizational requirements is of interest.

Select the following link to launch an AWS CloudFormation template to create the Lambda needed for password rotation.

NOTE: If the FSx for ONTAP file system is running in a private VPC rather than a public VPC, it’s recommended to create a VPC endpoint for Secrets Manager prior to launching the CloudFormation script. As file system architectural requirements vary from organization to organization, this was not included in the CloudFormation template.

After creating the FSxNSecretsManagerRotatorFunction Lambda, you must edit one parameter. In Figure 2: the parameter FSID is on line 20 of the Lambda in the parameter FSID. Populate the contents of the FSID parameter with your file system ID to be rotated. Then select Deploy to save the changes.

Figure 2: Editing the FSID parameter

Moving to the Secrets Manager console, as seen in Figure 3: and Figure 4: there is a secret called “FSxAdminPassword” with a key value secret pair of “fsxadmin” and the current password. This is used to automate the password rotation.

Figure 3: Secrets Manager

Figure 4: Secrets Manager key/value

To enable Secrets Manager Password Rotation, the first step is to select the Rotation configuration tab on the FSxAdminPassword secrets page. Then select Edit rotation, seen in Figure 5:

Figure 5: Secrets Manager – Selecting Edit rotation

Another menu opens, as seen in Figure 6: Select the radio button to enable automatic rotation. At this point, using the Schedule expression builder setting, set the time policy for rotation to your organizational needs. For this post, 90 days is used as an example. Verify that the Lambda function named “FSxNSecretsManagerRotatorFunction” is selected, and select Save.

Figure 6: Secrets Manager – Configuring rotation

After a few minutes, go back to the Secrets Manager console for the FSxAdminPassword and fetch the newly updated password from Secrets Manager.

Using a system with access to the FSx for ONTAP filesystem, secure shell (SSH) to the cluster with the fsxadmin account as in Figure 7: Then verify that the passwords are successfully rotated. For more information on how to SSH to your file system, refer to the FSx for ONTAP User Guide.

If you do not know the DNS name of your file system, then you can find the DNS name and IP address of your file system’s management endpoint in the Amazon FSx console, in the Administration tab of the FSx for ONTAP file system details page.

Figure 7: Logging in with new password

Cleaning up

If you decide to stop the automatic rotation of the FSx ONTAP password, you can navigate to CloudFormation in the console, choose the stack as named at deployment, and choose Delete. Then the Lambda and Secret are deleted.

Once deleted, your password no longer automatically rotates.

Costs

There are costs associated with using this password rotation solution. The solution runs Lambda code, and in this case the Lambda functions make API calls. The Lambda cost should be minimal. For example, 100,000 alarms with 300,000 metrics in your account costs less than a few cents.

We also store a secret in AWS Secrets Manager, which as of the release of this blog is $0.40 per secret, and $0.05 per 10,000 API calls. The monthly costs of storing the secret is higher than the cost of AWS Lambda in this solution.

The pricing details are available on the Secrets Manager and Lambda pages.

Conclusion

In this post, we walked through a method to automate the creation and retention of FSx ONTAP file system administrator (fsxadmin) password. Using a combination of AWS Lambda and AWS Secrets Manager, we have a fully serverless and low overhead solution for the rotation of passwords.

The automation of routine tasks, such as password changes seen here, aligns with the security pillar of the AWS Well-Architected Framework. By regularly changing passwords, organizations better manage and control access to FSx ONTAP file systems.

As a final takeaway, we encourage you to try this in your own environment. You can learn more about this solution by diving deep into the GitHub repository and the associated Python Lambda.

We welcome your feedback. If you have questions or suggestions, leave them in the comments section.