3

I'm looking at using a cloud-based continuous deployment server to push production code for my application.

Because it's a cloud based server, this requires me to give them a private SSH key that has access to push the appropriate files to my production server. I figure with the principle of least privilege, this SSH key should allow login to a locked-down user with write privileges to only a few directories. Then the production server can use upstart or other types of scripts that detect the code changes and start running the new code.

Suppose my threat model is that the private SSH key gets leaked from their end. Is it possible to mitigate this risk at all? Even if I lock down the user as much as possible, eventually code that is pushed by the user will be executed by the webserver user (which has greater privileges). So it seems that any leak of the SSH key that I give them will result in the possibility of remote code execution.

Are there any best practices in setting up a cloud-based CI/CD server, or is that just a risk I have to take?

Hetul Patel
  • 133
  • 4

1 Answers1

1

One mitigation you can use is to IP restrict that upload as well - you know where a legitimate upload will come from, after all. This will mitigate against ssh key loss through means that don't compromise the actual server (ie, backup losses, disk duplication, read only exploits, etc)

You can further mitigate using agreements - that they will follow appropriate security measures, that they will encrypt your data before backing it up, that they patch servers regularly.

I could imagine some sort of one-time-use token that gets added to your source repo project by systems you control and that change being what triggers the build. Your webserver could reject builds without a valid token or with a token it has seen before. This may be excessive, however, and is much more complicated. It is likely more appropriate for CI where there is a manual gate before production deploy, rather than CD where it goes in if it passes the tests, as well.

crovers
  • 6,311
  • 1
  • 19
  • 29