Nomad ACL Token
Service Name: HashiCorp Nomad
Service Description: HashiCorp Nomad is a flexible workload orchestrator that enables organizations to easily deploy and manage containers, legacy applications, and batch jobs across on-premises and cloud environments. It provides a unified workflow for deploying applications across different infrastructure.
Service Address: https://www.nomadproject.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured through Nomad's ACL system and network policies.
Secret Access Scope: Grants access to Nomad resources based on the policy associated with the token. Can provide capabilities for job management, node access, agent operations, and other Nomad cluster operations.
Secret Revokement URL: https://developer.hashicorp.com/nomad/api-docs/acl-tokens#delete-token
Secret Example: 9f48d3c8-7d49-4490-8937-b5b3cbd5b9a4
Suspicious Activity Investigation Instructions:
- Review Nomad server logs for unusual API calls or resource access
- Check for unauthorized job submissions or modifications
- Monitor for unexpected node registrations or deregistrations
- Examine audit logs for unusual token usage patterns
- Verify if the token was used from unexpected IP addresses or locations
- Check for policy modifications that might have expanded token permissions
Mitigation Instructions:
- Immediately revoke the compromised token using the Nomad CLI:
nomad acl token delete <token_id> - Alternatively, use the Nomad API to delete the token:
DELETE /v1/acl/token/:accessor_id - Create a new token with appropriate policies to replace the compromised one.
- Review and potentially update ACL policies to enforce the Principle of Least Privilege.
- Rotate any other secrets that might have been accessible via the compromised token.
- Consider implementing shorter token TTLs (Time To Live) for future tokens
- Enable audit logging if not already enabled to better track token usage
- Review Nomad cluster security settings and access controls