Ansible Security Mechanisms

[Frank Albert]

Hello Experts,

I am using ansible to configure my windows servers with powershell playbooks. Ansible servers communicates with the endpoints using WinRM Connections.

I fear that if in any case the ansible server gets compromised the attacker can modify the playbooks and execute the malicious code on all my endpoint windows 

Servers.

Any ideas of securing the Ansible's infrastructure.

Thanks

Frank

[J Hawkesworth]

There's lots you can do, but up to you what is an appropriate level of risk.

Using vault to encrypt all credentials for connecting to your hosts and not storing your vault password on disk would help.

You could keep your ansible configuration in source control and build a new ansible controller virtual machine whenever you needed to do a deployment if you wanted to, although that would be a pain if you do lots of production deployments.

I am no expert but well managed secrets, removing weak crypto and keeping systems patched goes a long way towards getting a full nights sleep.

Jon