Skip to content

Vault Root Token

Service Name: HashiCorp Vault

Service Description: HashiCorp Vault is a secrets management tool that securely stores and controls access to tokens, passwords, certificates, API keys, and other secrets. It handles leasing, key revocation, key rolling, and auditing.

Service Address: https://www.vaultproject.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured through Vault's network ACLs and firewall rules.

Secret Access Scope: Root tokens in Vault have unlimited access to the entire Vault system with no restrictions. They can perform any operation, manage all policies, access all secrets, and cannot be restricted by ACL policies.

Secret Revokement URL: https://developer.hashicorp.com/vault/docs/commands/token/revoke

Secret Example: hvs.CAESIJyR7yJjnlLgOkQTRlzl0jBUH9jQRV5LYYHwYnmOY5JnGh4KHGh2cy5lVXRQUjFUUTFSOFZFZDFkWnpWZmVOMnc

Suspicious Activity Investigation Instructions:

  • Review Vault audit logs for unusual operations or access patterns
  • Check for unauthorized policy changes or secret access
  • Monitor for new tokens being created with root-level permissions
  • Examine authentication attempts from unusual IP addresses or locations
  • Look for unusual volume of secret access or API calls

Mitigation Instructions:

  • Immediately revoke the compromised root token using vault token revoke <token>.
  • Generate a new root token using a quorum of unseal keys.
  • Rotate all secrets that may have been accessed by the compromised token.
  • Review and update Vault policies to enforce the Principle of Least Privilege.
  • Enable and review audit logs to track token usage
  • Consider implementing shorter TTLs for future root tokens
  • Implement Vault response wrapping for sensitive operations
  • Consider implementing periodic root tokens that require regular renewal