Secrets Management #
TLDR: Build and runtime secrets are stored securely and documented appropriately
Rationale: Leaked secrets such as api keys, cryptography keys, identity tokens are a common attack scenario.
Background #
Secrets must be stored in a secure way, and a documented in a central place. Cryptographic failures are the second highest risk in the OWASP top ten so rigor and process is essential.
How we implement this control #
- We use AWS secrets manager to store infrastructure secrets
- Secrets are provisioned in our terraform model (instructions here)
- Secrets are entered via the AWS cloud console by the authorized team members