snippetMinor
How do you know which secrets and credentials of your production services were used, and by whom/what?
Viewed 0 times
yourknowyouproductionwhatusedandwhomcredentialswere
Problem
The context of the question is Secrets management.
As the title says, how do you know which secrets and credentials of your production services were used, and by whom/what?
As the title says, how do you know which secrets and credentials of your production services were used, and by whom/what?
Solution
The short answer: you would need to use a secret management system that provides 'audit logs'.
There are many options for handling secrets out there, but unless the tool you use has audit logging, you'll never truly know for sure what credential was used where.
I see you mentioned using Hashicorp's Vault. That's a really good one. They have audit logging built in; they call it 'Audit Devices', which can be enabled with a simple command.
Again, there are many perfectly valid options for handling secrets: Chef vault, 1password, environment variables injected by your build instances, home-grown solution using encrypted files stored on object storage, etc.... However, unless the system specifically says it provides audit logging, you'll never truly know what was used when and where.
You can design a secrets system with the best intentions, and make many rules that employees have to follow in regards to have the secrets are accessed, but for auditing purposes, you want to know where the rules have been broken. If you have a firm requirement to always know when and where secrets where used, I recommend you stick with something like Hashicorp Vault, turn on Audit Devices, and then ship the log somewhere for storage or processing.
There are many options for handling secrets out there, but unless the tool you use has audit logging, you'll never truly know for sure what credential was used where.
I see you mentioned using Hashicorp's Vault. That's a really good one. They have audit logging built in; they call it 'Audit Devices', which can be enabled with a simple command.
Again, there are many perfectly valid options for handling secrets: Chef vault, 1password, environment variables injected by your build instances, home-grown solution using encrypted files stored on object storage, etc.... However, unless the system specifically says it provides audit logging, you'll never truly know what was used when and where.
You can design a secrets system with the best intentions, and make many rules that employees have to follow in regards to have the secrets are accessed, but for auditing purposes, you want to know where the rules have been broken. If you have a firm requirement to always know when and where secrets where used, I recommend you stick with something like Hashicorp Vault, turn on Audit Devices, and then ship the log somewhere for storage or processing.
Context
StackExchange DevOps Q#3661, answer score: 1
Revisions (0)
No revisions yet.