Automated SOPS compliance checking with sops-check

SOPS is the de-facto standard for securely storing secrets in Git repositories. It creates encrypted containers that protect the secret content. The containers are in YAML, JSON, ENV or INI format so that the regular Git operations and line-based diffs still work. Also, SOPS only encrypts the values of the secrets so that it is easy to see the purpose of a secret. SOPS files use external "trust anchors" for key material so that the ability to decrypt a SOPS file depends on the access to the appropriate decryption key or service.

While SOPS files are considered secure by themselves, the security posture actually depends entirely on protecting these external trust anchors - and on controlling the trust anchors added to a SOPS file. SOPS files are often used with cloud-based key management systems (KMS), which has the great advantage of providing an online identity verification prior to granting access to the encrypted data. A malicious actor — especially an internal one — could simply add a "personal" trust anchor, e.g. a personal AGE key, to gain access to the encrypted data. He could thus copy a SOPS file and decrypt it without access to the online cloud-based KMS, and without leaving a trace in the audit trail.

See my talk "Cloud & Offline Secrets Management with SOPS" for more details about all of this:

SOPS-CHECK TO THE RESCUE

To turn SOPS files into a true secrets management solution we must therefore closely guard our SOPS files and exercise tight control over the trust anchors that are used in SOPS files. To help with this problem I'm proud to present sops-check, an Open Source tool to perform static compliance checking on SOPS files. You can find it at github.com/Bonial-International-GmbH/sops-check.

It allows defining rules that all SOPS files in a directory (e.g. a Git repo) must comply with. The sops-check repository contains a demo to illustrate this. In this demo we have the following rules:

  1. Our AGE disaster recovery key must be used to ensure our ability to decrypt an offline backup of our Git repositories that contain SOPS files
  2. Different AWS KMS keys must be used for the production, development and staging environments. This prevents accidential mix-ups between the different environments.
  3. All KMS keys must be from our allowed regions and accounts

No other trust anchors are allowed. The sops-check configuration file .sops-check.yaml looks like this: 

# Global settings
allowUnmatched: false  # Reject any trust anchors not explicitly allowed by rules

rules:
  # All rules must match
  - allOf:
      # Disaster recovery key must be present in all files
      - description: "Disaster recovery AGE key must be present in all files"
        match: "age1u79ltfzz5k79ex4mpl3r76p2532xex4mpl3z7vttctudr6gedn6ex4mpl3"
        url: "https://internal-wiki/security/disaster-recovery"

      # Environment-specific rules
      - anyOf:
          # Production rules
          - allOf:
              - description: "Production files must use production KMS keys in both regions"
                matchRegex: "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/production-cicd$"
              - not:
                  description: "Production files must not use staging or development keys"
                  anyOf:
                    - matchRegex: "^arn:aws:kms:.*:alias/staging-cicd$"
                    - matchRegex: "^arn:aws:kms:.*:alias/development-cicd$"
            description: "Production environment rules"
            url: "https://internal-wiki/security/production-keys"

          # Staging rules
          - allOf:
              - description: "Staging files must use staging KMS keys in both regions"
                matchRegex: "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/staging-cicd$"
              - not:
                  description: "Staging files must not use production or development keys"
                  anyOf:
                    - matchRegex: "^arn:aws:kms:.*:alias/production-cicd$"
                    - matchRegex: "^arn:aws:kms:.*:alias/development-cicd$"
            description: "Staging environment rules"
            url: "https://internal-wiki/security/staging-keys"

          # Development rules
          - allOf:
              - description: "Development files must use development KMS keys in both regions"
                matchRegex: "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/development-cicd$"
              - not:
                  description: "Development files must not use production or staging keys"
                  anyOf:
                    - matchRegex: "^arn:aws:kms:.*:alias/production-cicd$"
                    - matchRegex: "^arn:aws:kms:.*:alias/development-cicd$"
            description: "Development environment rules"
            url: "https://internal-wiki/security/development-keys"

      # Only allow KMS keys from allowed regions, account, and alias pattern
      - matchRegex: "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/(production|staging|development)-cicd$"
        description: "Only allow KMS keys from eu-central-1 or eu-west-1, account 123456789012, and alias ending with -cicd"
        url: "https://internal-wiki/security/authorized-regions"

Running sops-check produces an output like this, explaining in detail the errors found:

❯ make demo
Running sops-check on demo directory...
Found issues in demo/bad/malicious-pgp-key.yaml:

    [allOf] Expected ALL of the nested rules to match, but found 2 failures:

      1) [anyOf] Expected ANY of the nested rule to match, but none did:

          1) [allOf] Production environment rules

            More details: https://internal-wiki/security/production-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Production files must use production KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/production-cicd$" was not found.

          2) [allOf] Staging environment rules

            More details: https://internal-wiki/security/staging-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Staging files must use staging KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/staging-cicd$" was not found.

          3) [allOf] Development environment rules

            More details: https://internal-wiki/security/development-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Development files must use development KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/development-cicd$" was not found.

      2) [matchRegex] Only allow KMS keys from eu-central-1 or eu-west-1, account 123456789012, and alias ending with -cicd

        More details: https://internal-wiki/security/authorized-regions

        Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/(production|staging|development)-cicd$" was not found.

    Unmatched trust anchors:
      - 1234567890ABCDEF1234567890ABCDEF12345678

Found issues in demo/bad/missing-age-key.yaml:

    [allOf] Expected ALL of the nested rules to match, but found one failure:

      1) [match] Disaster recovery AGE key must be present in all files

        More details: https://internal-wiki/security/disaster-recovery

        Expected trust anchor "age1u79ltfzz5k79ex4mpl3r76p2532xex4mpl3z7vttctudr6gedn6ex4mpl3" was not found.

Found issues in demo/bad/mixed-environments.yaml:

    [allOf] Expected ALL of the nested rules to match, but found one failure:

      1) [anyOf] Expected ANY of the nested rule to match, but none did:

          1) [allOf] Production environment rules

            More details: https://internal-wiki/security/production-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [not] Expected nested rule to fail, but it did not:

                  1) [anyOf] Production files must not use staging or development keys

                    Matched trust anchors:
                      - arn:aws:kms:eu-west-1:123456789012:alias/staging-cicd

          2) [allOf] Staging environment rules

            More details: https://internal-wiki/security/staging-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [not] Expected nested rule to fail, but it did not:

                  1) [anyOf] Staging files must not use production or development keys

                    Matched trust anchors:
                      - arn:aws:kms:eu-central-1:123456789012:alias/production-cicd

          3) [allOf] Development environment rules

            More details: https://internal-wiki/security/development-keys

            Expected ALL of the nested rules to match, but found 2 failures:

              1) [matchRegex] Development files must use development KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/development-cicd$" was not found.

              2) [not] Expected nested rule to fail, but it did not:

                  1) [anyOf] Development files must not use production or staging keys

                    Matched trust anchors:
                      - arn:aws:kms:eu-central-1:123456789012:alias/production-cicd

Found issues in demo/bad/unauthorized-region.yaml:

    [allOf] Expected ALL of the nested rules to match, but found 2 failures:

      1) [anyOf] Expected ANY of the nested rule to match, but none did:

          1) [allOf] Production environment rules

            More details: https://internal-wiki/security/production-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Production files must use production KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/production-cicd$" was not found.

          2) [allOf] Staging environment rules

            More details: https://internal-wiki/security/staging-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Staging files must use staging KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/staging-cicd$" was not found.

          3) [allOf] Development environment rules

            More details: https://internal-wiki/security/development-keys

            Expected ALL of the nested rules to match, but found one failure:

              1) [matchRegex] Development files must use development KMS keys in both regions

                Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/development-cicd$" was not found.

      2) [matchRegex] Only allow KMS keys from eu-central-1 or eu-west-1, account 123456789012, and alias ending with -cicd

        More details: https://internal-wiki/security/authorized-regions

        Trust anchor matching regular expression "^arn:aws:kms:eu-(central|west)-1:123456789012:alias/(production|staging|development)-cicd$" was not found.

    Unmatched trust anchors:
      - arn:aws:kms:us-east-1:123456789012:alias/unauthorized-key

❌ Found 4 files with issues:
  - demo/bad/malicious-pgp-key.yaml
  - demo/bad/missing-age-key.yaml
  - demo/bad/mixed-environments.yaml
  - demo/bad/unauthorized-region.yaml
make: *** [demo] Error 1

I hope that this little automated compliance checking tool will help you to establish a better security posture of your SOPS files. Big thanks go to Martin Ohmann for writing the tool!

Note: If the above Git repo doesn't yet contain the demo code then please check out my fork github.com/schlomo/sops-check instead. The PR is currently pending.

What are your automated compliance challenges? Tektit Consulting and I are happy to assist you with resolving them and helping you to fully automate all your compliance requirements.


Comments

Post a Comment

Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

Image
I'm a big fan of test driven development  (TDD) for infrastructure components. I'm currently working on a hardware-related topic where we also use the system serial number as identifier. To create a proper integration test, we need to be able to start a system and set the serial number to a known value. This can easily be done with the help of virtual machines like in VMware or VirtualBox , but I couldn't find a way for changing the system serial number on hardware boxes, cloud VMs (e.g. on Alibaba Cloud) or other Linux system. Problem Analysis I was thinking: Linux is the operating system where I can potentially do everything . So how hard can this be? After some digging around I found out that there are those main sources for the serial number on Linux: /sys/firmware/dmi/tables/DMI contains a binary blob of Desktop Management Interface data provided by the kernel and the dmidecode utility is commonly used to decode...
Read more

Bitkom Forum Open Source 2024 in Erfurt

Image
Triggered by a provocative announcement for their The Cuckoo in the Tendering Process: When the vendor loses to itself panel discussion by Peer Heinlein  ( Heinlein Support ) and Johannes Loxen  ( Sernet ) on LinkedIn, I attended the 10th Bitkom Open Source Forum  in Erfurt . This free one-day conference on open source in a business context has become a highly informative event - that is well worth attending. This year's motto of  The future of open source - fair, regulated, intelligent was exactly what I needed at the moment, and I spent the whole day in the Open Source - regulated  track. Cockoo or What Is My Business Model? The panel discussion was about the challenges Peer faces in marketing OpenTalk , the open source videoconferencing software that Heinlein Support has developed over the last few years. Competitors seem to be offering OpenTalk hosting packages in public tenders, even though they don't contribute to the code or fix bugs. In the end, Peer c...
Read more

Fixing Chrome Color Printing on Linux with HP Color LaserJet M880

Image
It seems like I can't get a printer that "just works". I recently decided to replace our HP X476 printer with something nicer and bigger, an HP Color LaserJet M880 ( background story & review in German ). And of course there is something that needs fixing: The Chrome browser on Linux wouldn't let us print in color, even though all other applications had no problem to print in color. Even with Chrome color printing was possible, if one used the system printing dialog instead of the built-in Chrome print preview. This strange behavior of course piqued my curiosity. After some digging around I found out that the Chrome browser needs to parse and understand  the printer driver PPD! Chrome tries to find out how to configure color or grayscale printing in order to offer the user the choice. If Chrome can't understand the printer driver then it simply doesn't offer the choice between color and grayscale — and then some printer driver default can ch...
Read more