12 Secrets Management

On July 25th, 2019, it was reported that the Democratic Senatorial Campaign Committee (DSCC) had exposed over 6.2 million email addresses in what became one of the largest data breaches of all time. The vast majority of addresses came from American consumers, although thousands of university, government and military personnel’s emails were compromised as well. The root cause behind the incident was a small configuration error: an improperly configured S3 bucket. The email addresses had been stored in a single large spreadsheet, named “EmailExcludeClinton.csv”, which was marked as publicly accessible to anyone with an AWS account. At the time of discovery, the data has been left exposed on the Internet for at least nine years.

This little homily should serve as a warning to those who would fail to take information security seriously. Data breaches are enormously detrimental, not only for the public, but for corporations as well. Loss of brand reputation, loss of future revenue, and government-imposed fees and fines are just some of the potential consequences. All it takes for a data breech to occur is a slight oversight, such as an improperly configured S3 bucket that may not even be discovered until many years down the road.

12.1  Securing Terraform State

12.1.1    Removing Unnessary Secrets

12.1.2    Least Priviliged Access Control

12.1.3    Encryption at Rest

12.2  Securing Logs

12.2.1    What Sensitive Information?

12.2.2    Dangers of Local-Exec Provisioners

12.2.3    Dangers of External Data Sources

12.2.4    Restricting Access to Logs

12.3  Managing Static Secrets

12.3.1    Environment Variables

12.3.2    Terraform Variables

12.4  Utilizing Dynamic Secrets

12.4.1    HashiCorp Vault

12.4.2    AWS Secrets Manager

12.5  Sentinel and Policy as Code

12.5.1    Writing a Basic Sentinel Policy

12.5.2    Blocking Local-Exec Provisioners

12.6  Final Words

12.7  Summary