HashiCorp Vault Token
Service Name: HashiCorp Vault
Service Description: HashiCorp Vault is a secrets management tool that securely stores and controls access to tokens, passwords, certificates, API keys, and other secrets. It handles leasing, key revocation, key rolling, and auditing.
Service Address: https://www.vaultproject.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured through Vault's access control policies and network segmentation.
Secret Access Scope: Grants access to secrets stored in Vault based on the token's associated policies. Can provide access to encryption/decryption operations, database credentials, cloud provider credentials, and other sensitive information.
Secret Revokement URL: https://developer.hashicorp.com/vault/docs/commands/token/revoke
Secret Example: hvs.CAESIJyR7Fxps1a4Hg1JZ0Bw9qN9WzpLFwJJbVR0GnHRLaWpGh4KHGh2cy5qZUV5eEJGMmJCQnBUeDRMVnBQd3JyaHg
Suspicious Activity Investigation Instructions:
- Review Vault audit logs for unusual token usage patterns
- Check for unexpected token creation or policy modifications
- Monitor for access attempts from unusual IP addresses or outside normal hours
- Verify if tokens have been created with excessive privileges
- Examine token usage across different Vault paths and secrets engines
Mitigation Instructions:
- Revoke the compromised token immediately using the Vault CLI:
vault token revoke <token> - Alternatively, revoke through the UI or API endpoint
- Review and rotate any secrets that may have been accessed by the compromised token
- Audit all tokens created by the same entity that created the compromised token
- Enable shorter TTLs (Time-To-Live) for tokens to limit exposure
- Implement more restrictive policies for token creation and usage
- Consider enabling multi-factor authentication for sensitive operations
- Review Vault's access control policies to enforce the Principle of Least Privilege