Skip to content

ACL Permissions over Secret

Description

Limiting access to vault-stored secrets is vital for security. Fewer users reduce breach risks and non-compliance, making security management easier. Use SailPoint Entro’s activity tracking to analyze identities accessing this secret effectively.

Risk triggers

  • Any secret that can be accessed by more than 5 unique non-admin identities, will trigger this risk.

Mitigation

Permissions targeting a secret should be reduced.

Create granular policies that only allow fetching secrets relevant to their use to eliminate unnecessary permissions applied to your secrets.

JSON Example

Risk JSON

account: {environment: "dev", environmentType: "DEV"}
accountId: "120768082511"
accountType: "AWS"
category: "LEAST_PRIVILEGE"
correlationGuid: null
creationDate: "2024-09-07T00:48:51.535Z"
customData: null
customerId: 34
data: {type: "read", users: ["arn:aws:iam::120768082511:user/Dan-Test-22.12.22",…], numberOfUsers: 15}
    numberOfUsers: 15
    type: "read"
    users: ["arn:aws:iam::120768082511:user/Dan-Test-22.12.22",…]
        0: "arn:aws:iam::120768082511:user/Dan-Test-22.12.22"
        1: "arn:aws:iam::120768082511:user/UserPriv"
        2: "arn:aws:iam::120768082511:user/6b828947-e1f3-4528-a706-16c20a7615b0"
        3: "arn:aws:iam::120768082511:role/awsqs-kubernetes-resource"
        4: "arn:aws:iam::120768082511:role/sam-entro-onboarding-CreateConnector"
        5: "arn:aws:iam::120768082511:role/sam-uptime-checks"
        6: "arn:aws:iam::120768082511:user/8958a274-d039-4e45-a73d-a5ca701f7d4d"
        7: "arn:aws:iam::120768082511:role/IWtQaW9FDAiu"
        8: "arn:aws:iam::120768082511:role/awsqs-kubernetes-helm"
        9: "arn:aws:iam::120768082511:user/SamSmith"
        10: "arn:aws:iam::120768082511:user/adminUserDev"
        11: "arn:aws:iam::120768082511:user/ca716de6-321a-46c5-993b-df4c304842f1"
        12: "arn:aws:iam::120768082511:role/awsqs-kubernetes-get"
        13: "arn:aws:iam::120768082511:user/alex_pekker_dev"
        14: "arn:aws:iam::120768082511:role/mWgaB1gbPasM"
description: "Limiting access to vault stored secrets is crucial for security and protection. Too many users can increase the risk of breaches and non-compliance. It's easier to monitor and maintain security with a smaller group of users with access. Use Entro's activity tracking to better analyze identities that are fetching this secret."
destination: "GOOGLE_GCP_SERVICE_ACCOUNT"
guid: "RSK-8334"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 35894
isArchived: false
key: "LEAST_PRIVILEGE-SEC-2648"
linkedElements: ["SEC-2648"]
logChangeType: null
modifyDate: "2024-09-08T00:00:45.281Z"
name: "Many identities can read a secret"
occurrences: []
owner: "DanDurant"
ownerAiObject: null
ownerUid: null
path: "us-east-1/8e39e631-99fe-436d-ac4b-f1f54370dc6b-aff1489c-0e2f-44ff-9c7d-8d1b6357d384"
ruleCode: "ACL_MANY_SECRET"
scanId: 1358703
severity: "MEDIUM"
source: "AWS"
status: "OPEN"
tags: ["Least Privilege", "dev"]
tasks: [{customerId: 34, riskId: 35894, type: "REDUCE_SPECIFIC_PERM", level: "HARD",…}]
type: "LEAST_PRIVILEGE"

Linked Element (Vaulted Secret) JSON

accessorsPolicies: {,…}
    groups: [{data: {Arn: "arn:aws:iam::120768082511:group/test_grp", Path: "/", users: [,…],…},…}]
    roles: [{,…}, {data: {Arn: "arn:aws:iam::120768082511:role/awsqs-kubernetes-get", Path: "/",…},…},…]
    users: [{data: {Arn: "arn:aws:iam::120768082511:user/6b828947-e1f3-4528-a706-16c20a7615b0", Path: "/",…},…},…]
account: {environment: "dev", environmentType: "DEV", accountType: "AWS", id: "120768082511"}
accountId: "120768082511"
accountType: "AWS"
azureSecretType: null
correlationGuid: null
creatorsPolicies: {,…}
customerId: 34
devices: [{role: "saas-assume-role", region: "us-east-1", ipAddress: "34.239.28.160",…}]
errors: ["UNCLASSIFIED"]
guid: "SEC-2648"
isActive: false
isArchived: false
isIdle: false
lastAccsesTime: "1800-01-01T00:00:00.000Z"
liminalCreationDate: "2024-09-04T03:59:17.956Z"
liminalModifyDate: "2024-10-29T14:53:22.755Z"
modifiersPolicies: {roles: [{,…}, {data: {,…},…}, {,…}, {,…}, {,…}, {,…}, {,…}, {,…},…],…}
origin: null
owner: "DanDurant"
ownerAiObject: null
ownerUid: null
riskSeverity: "MEDIUM"
scanId: 2951468
secretArn: "arn:aws:secretsmanager:us-east-1:120768082511:secret:8e39e631-99fe-436d-ac4b-f1f54370dc6b-aff1489c-0e2f-44ff-9c7d-8d1b6357d384-QaYhxK"
secretCreationDate: "2024-09-04T03:02:31.361Z"
secretCreatorJSON: "{\"username\":\"DanDurant\",\"userArn\":\"arn:aws:iam::120768082511:user/DanDurant\",\"sourceIP\":\"34.239.28.160\",\"accessTime\":\"2024-09-04T03:02:31.000Z\",\"userAgent\":\"aws-sdk-js/3.332.0 os/linux/5.10.223-212.873.amzn2.x86_64 lang/js md/nodejs/19.9.0 api/secrets_manager/3.332.0 exec-env/AWS_ECS_FARGATE\",\"eventName\":\"CreateSecret\"}"
secretLastAccessorJSON: "null"
secretLastModifierJSON: "{\"username\":\"DanDurant\",\"user
secretModifiedDate: "2024-09-04T15:52:21.184Z"
secretName: "8e39e631-99fe-436d-ac4b-f1f54370dc6b-aff1489c-0e2f-44ff-9c7d-8d1b6357d384"
secretObject: {}
secretRotationDate: "2024-09-04T03:02:31.361Z"
secretStore: "us-east-1"
secretTotalAccess: 0
secretTotalAccessors: 0
secretTotalIp: 1
secretTotalUserAgent: 0
secretVersion: ""
state: null
tags: {tags: []}
uid: "566747f0-3d0e-4e0a-890d-fda9d721186f"
vaultName: "us-east-1"
vaultPermissions: {}
versionCount: 10