Skip to content

External Accounts Can Read Your Secrets

Description

External entities who have obtained access to your organization's secrets could potentially gain access to your data. Therefore, it is crucial to exercise caution and consider the risks involved before allowing external access to your organization's secrets.

Risk triggers

  • GCP:

    • Permissions over the following services:

      • GCP Secret Manager

      • GCP Kubernetes Engine

      • GCP KMS (Key Management)

    • The entity will be qualified as external if it’s a Google group, or a service account not a part of an organization onboarded to the SailPoint Entro platform.

  • Azure:

    • App registration with permissions over the following services:

      • Azure storage keys

      • Azure key vault

      • Azure storage blob

      • Azure DevOps tokens

      • Azure Teams tokens

    • The app registration will be qualified as “External” if the parent tenant is not onboarded to the SailPoint Entro platform.

  • AWS:

    • Role with permissions to read secrets from one of these AWS services

      • Secrets manager

      • KMS

      • ACM

      • SSM

      • EKS

      • Kubernetes secrets

    • Role with external assume role permissions trust to an AWS account that isn’t onboarded to SailPoint Entro’s platform

Mitigation

Eliminate external attack surface

Allowing external accounts to read your secrets is considered a bad practice. To revisit external trust permissions, follow the mitigation steps in the platform.