View on Github
Secrets Management

Secrets Management #

TLDR: Build and runtime secrets are stored securely and documented appropriately
Rationale: Leaked secrets such as api keys, cryptography keys, identity tokens are a common attack scenario.

Background #

Secrets must be stored in a secure way, and a documented in a central place. Cryptographic failures are the second highest risk in the OWASP top ten so rigor and process is essential.

Change Records

How we implement this control #

Infrastructure secrets #

  • We use AWS secrets manager to store infrastructure secrets.
  • Infrastructure secrets are handled with a separate terraform-server repository together with other server information.
  • The update, creation and deletion of secrets is described in secrets/README.md.
  • We use a set of helper programs to update the secrets for the different servers. In addition to updating the secrets, the helper program also:
    • Tracks which server the secret was updated for.
    • When and by who was the secrete updated.
    • When does the secrete expire.
  • We have a daily GitHub job that checks if any secrete will expire within the next month.
  • If a secrete is going to expire soon a message is sent to our dedicated slack channel

CI workflow secrets #

  • We use GitHub action secrets to store CI workflow secrets.
  • CI workflow secretes are either repository secretes or organization secretes.
  • Repository secretes are tracked in the repository where they are used.
  • Organization secretes are tracked in the server repository.
  • In every repository that uses CI workflow secretes there is a secrets directory. It contains a README.md file with general information and one file per secret. The file gives detailed information about how to get a new secret and how to update them. It also contains
    • When and by who was the secrete updated.
    • When does the secrete expire.
  • In every repository there is a daily GitHub job that checks if any secrete will expire within the next month.
  • If a secrete is going to expire soon a message is sent to our dedicated slack channel

Check if new secrets has been added #

  • Every 3 months we check if any new infrastructure or CI secrets has been added. In the server repository there is a bin/check_new_secrets.sh script that will do the check and tell you if any secrets has been added.
  • The evidence that we ran check for new secrets are recorded in the secrets-updated flow.
  • We have a daily GitHub job that checks if it is more than three months since last time we checked for new secrets.

© Kosli 2022, all rights reserved
CCPA Do not sell my info