Alert when a human accesses a secret
sethvargo opened this issue · comments
TL;DR
Fire an alert when a user account accesses a secret in Secret Manager
Design
- Enable Data Access Logs
DATA_READ
for Google Secret Manager (more info), ideally via a configurable Terraform variable. The default value should be "off" due to the increased costs of enabling DAL. - Fire a monitoring alert when that audit log appears and the actor type is "user". We must exclude service accounts since it's expected that service accounts access the secrets
After some research, there's no way to enable DAL via Terraform. There's an API, but it also doesn't seem to work. As such, I've enabled DAL on the organization which will apply to all current and future projects.
(To be clearer, it exists, but it's authoritative. There's no way to say "enable this" - it's the entire audit policy on the project/folder. Since we don't know if there's other configuration on the project, it's not safe to apply since we might be deleting an existing audit config).
Most of this is done, but there's still an open issue with Terraform accessing secrets as part of its run...
These alerts fire!