Secrets Management #
TLDR: Build and runtime secrets are stored securely and documented appropriately
Rationale: Leaked secrets such as api keys, cryptography keys, identity tokens are a common attack scenario.
Background #
Secrets must be stored in a secure way, and a documented in a central place. Cryptographic failures are the second highest risk in the OWASP top ten so rigor and process is essential.
How we implement this control #
Infrastructure secrets #
- We use AWS secrets manager to store infrastructure secrets.
- Infrastructure secrets are handled with a separate terraform-server repository together with other server information.
- The update, creation and deletion of secrets is described in secrets/README.md.
- We use a set of helper programs to update the secrets for the different servers. In addition to updating
the secrets, the helper program also:
- Tracks which server the secret was updated for.
- When and by who was the secrete updated.
- When does the secrete expire.
- We have a daily GitHub job that checks if any secrete will expire within the next month.
- If a secrete is going to expire soon a message is sent to our dedicated slack channel
CI workflow secrets #
- We use GitHub action secrets to store CI workflow secrets.
- CI workflow secretes are either repository secretes or organization secretes.
- Repository secretes are tracked in the repository where they are used.
- Organization secretes are tracked in the server repository.
- In every repository that uses CI workflow secretes there is a
secrets
directory. It contains aREADME.md
file with general information and one file per secret. The file gives detailed information about how to get a new secret and how to update them. It also contains- When and by who was the secrete updated.
- When does the secrete expire.
- In every repository there is a daily GitHub job that checks if any secrete will expire within the next month.
- If a secrete is going to expire soon a message is sent to our dedicated slack channel
Check if new secrets has been added #
- Every 3 months we check if any new infrastructure or CI secrets has been added. In the
server repository there is a
bin/check_new_secrets.sh
script that will do the check and tell you if any secrets has been added. - The evidence that we ran check for new secrets are recorded in the secrets-updated flow.
- We have a daily GitHub job that checks if it is more than three months since last time we checked for new secrets.