AWS Partner Network (APN) Blog
Prevent Secret Sprawl with HCP Vault Radar
 |
| HashiCorp |
 |
By Nic Gumina, Cloud Security Consultant – AWS
By Samuel Chniber, Sr Solutions Architect – AWS
By Manu Chandrasekhar, DevOps Consultant – AWS
In today’s digital landscape, securing enterprise applications requires organizations to manage an expanding array of secrets – from passwords and API keys to certificates and encryption keys. Unmanaged secrets frequently proliferate across development environments, source code repositories, configuration files, and infrastructure components, creating potential security vulnerabilities and compliance risks that often go undetected. Manual secret governance increases security risks through human error, inconsistent rotation practices, and weak access controls. To succeed, organizations need secret management solutions which can bring visibility, and provide remediation measures with operational speed.
In this blog post, we show you how HashiCorp Cloud Platform (HCP) Vault Radar can help organizations address the challenges around secret sprawl and bring visibility into the both managed and unmanaged secrets distributed across your organization’s data sources. HashiCorp is an AWS Specialization Partner and AWS Marketplace Seller that provides consistent workflows to provision, secure, connect, and run any infrastructure for any application.
HCP Vault Radar as a Solution
HCP Vault Radar is a managed feature integrated with HashiCorp Cloud Platform providing automated detection and analysis of secrets, sensitive data, and potentially problematic content across an organization’s codebase. The service operates continuously in the background, scanning your data sources, providing real-time insights into potential security risks and compliance issues.
Beyond traditional secrets detection, it can identify Personally Identifiable Information (PII) such as social security numbers, credit card information, and personal contact details that might be inadvertently exposed in code repositories. Additionally, the service includes scanning for non-inclusive language (NIL), helping organizations maintain professional and respectful codebases while adhering to modern development practices and cultural sensitivity standards.
Vault Radar also integrates natively with HCP Vault, allowing customers to correlate secrets that are in need of rotation. This enhancement reduces sprawl of managed secrets as plain text in the customer’s data sources.
Benefits of using Vault Radar
HCP Vault Radar provides you the ability to use a scanning method which is suitable for your infrastructure and compliance needs . HCP Vault Radar can be configured to run as an agent-based scan for resources which are not publicly available and reachable by HashiCorp Cloud Platform. The agent can be deployed locally or as a pod within a Kubernetes cluster. HCP Vault Radar can also be integrated with Vault instances (HCP Vault Dedicated or Enterprise Cluster) to provide visibility into managed secrets which require rotation based on the findings.
Figure 1: Vault Radar scan types
Some of the key benefits of Vault Radar include:
- Stop secret sprawl: Vault Radar provides the means to ensure your secrets ecosystem maintains required configurations for your compliance obligations around secrets management, rotation, and monitoring. Vault Radar CLI allows customers to scan various data sources from the customer organization including AWS Parameter Store, Confluence, Slack etc.
- Prioritization: Enhanced visibility into your secrets across your environment and your software delivery lifecycles helps teams prioritize and manage findings efficiently. Radar allows for the creation of custom severity rules based on the content of findings, which can be combined with the available audit trail data to aid in investigations and remediation. Radar has native connectors with Atlassian Jira and ServiceNow for automatic ticket creation on a per-finding basis, making it easy to integrate into existing workflows and organizational practices.
- Remediation: Vault Radar provides remediation suggestions that are based on activeness checks of the secret detected within the codebase. Customer can customize this remediation by using their own organization’s remediation steps.
Figure 2: Define remediation suggestions
- Prevention: As an example, utilizing the Vault Radar GitHub app, Radar can be configured to run against every pull request in a target GitHub repository, both at the tip of the pull requests and in their respective commit histories. When enabled, Radar has two levels available for pull request checks: scans to be marked as failures when secrets are detected, and pull requests to be blocked when scan results show secrets.
Figure 3: Vault Radar GitHub App
Integration with AWS
HCP Vault Radar offers powerful integration with Amazon Web Services (AWS), enhancing security and operational efficiency for organizations leveraging cloud infrastructure. The integration seamlessly extends to critical AWS services, like AWS Systems Manager Parameter Store and Amazon S3. HCP Vault Radar’s advanced scanning capabilities enable organizations to proactively identify and manage unmanaged secrets across their AWS environments.
For AWS Systems Manager Parameter Store, the Vault Radar CLI can scan parameters of type String and StringList, helping teams maintain a secure configuration management practice.
You can use the following link from HashiCorp Vault Radar CLI documentation to know more about its capabilities for AWS Systems Manager Parameter Store scans including examples for Vault Radar CLI invokes.
Similarly, with Amazon S3, Vault Radar can scan all objects within specified buckets, even allowing for targeted scans using prefixes. The scans can be triggered from customer CI/CD pipelines to generate SARIF files which can compile a list of secrets identified along with additional metadata related to the secret.
Figure 4: Scan results in SARIF format
In case you’d like to know more about the Vault Radar CLI Options for Amazon S3 Bucket Scans, you can refer to the following link.
With the Vault Radar CLI, customers can continue to maintain compliance at the developer level by using pre-commit hooks locally while evaluating them continuously in their CI/CD pipelines.
Conclusion
With its seamless integration into the broader HashiCorp Vault ecosystem, Vault Radar supports organizations to efficiently transition from discovering unmanaged secrets to implementing robust secrets management practices, ultimately strengthening their overall security posture and maintaining compliance requirements. To learn more about HCP Vault Radar, please check the HashiCorp blog and the launch video. You can also find HashiCorp Cloud Platform in the AWS Marketplace.
.
.
HashiCorp – AWS Partner Spotlight
HashiCorp is an AWS Technology Partner and AWS Competency Partner that provides consistent workflows to provision, secure, connect, and run any infrastructure for any application