Skip to content

HashiCorp Vault Token

Service Name: HashiCorp Vault

Service Description: HashiCorp Vault is a secrets management tool that securely stores and controls access to tokens, passwords, certificates, API keys, and other secrets. It handles leasing, key revocation, key rolling, and auditing.

Service Address: https://www.vaultproject.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured through Vault's access control policies and network segmentation.

Secret Access Scope: Grants access to secrets stored in Vault based on the token's associated policies. Can provide access to encryption/decryption operations, database credentials, cloud provider credentials, and other sensitive information.

Secret Revokement URL: https://developer.hashicorp.com/vault/docs/commands/token/revoke

Secret Example: hvs.CAESIJyR7Fxps1a4Hg1JZ0Bw9qN9WzpLFwJJbVR0GnHRLaWpGh4KHGh2cy5qZUV5eEJGMmJCQnBUeDRMVnBQd3JyaHg

Suspicious Activity Investigation Instructions:

  • Review Vault audit logs for unusual token usage patterns
  • Check for unexpected token creation or policy modifications
  • Monitor for access attempts from unusual IP addresses or outside normal hours
  • Verify if tokens have been created with excessive privileges
  • Examine token usage across different Vault paths and secrets engines

Mitigation Instructions:

  • Revoke the compromised token immediately using the Vault CLI: vault token revoke <token>
  • Alternatively, revoke through the UI or API endpoint
  • Review and rotate any secrets that may have been accessed by the compromised token
  • Audit all tokens created by the same entity that created the compromised token
  • Enable shorter TTLs (Time-To-Live) for tokens to limit exposure
  • Implement more restrictive policies for token creation and usage
  • Consider enabling multi-factor authentication for sensitive operations
  • Review Vault's access control policies to enforce the Principle of Least Privilege