Alert when a human accesses a secret

Question

Alert when a human accesses a secret

sethvargo opened this issue 4 years ago · comments

Seth Vargo commented 4 years ago

TL;DR

Fire an alert when a user account accesses a secret in Secret Manager

Design

Enable Data Access Logs DATA_READ for Google Secret Manager (more info), ideally via a configurable Terraform variable. The default value should be "off" due to the increased costs of enabling DAL.
Fire a monitoring alert when that audit log appears and the actor type is "user". We must exclude service accounts since it's expected that service accounts access the secrets

Seth Vargo · Answer 1 · Mon Jan 11 2021 03:12:18 GMT+0800 (China Standard Time)

After some research, there's no way to enable DAL via Terraform. There's an API, but it also doesn't seem to work. As such, I've enabled DAL on the organization which will apply to all current and future projects.

Seth Vargo · Answer 2 · Mon Jan 11 2021 03:18:41 GMT+0800 (China Standard Time)

(To be clearer, it exists, but it's authoritative. There's no way to say "enable this" - it's the entire audit policy on the project/folder. Since we don't know if there's other configuration on the project, it's not safe to apply since we might be deleting an existing audit config).

Seth Vargo · Answer 3 · Tue Jan 12 2021 04:23:01 GMT+0800 (China Standard Time)

Most of this is done, but there's still an open issue with Terraform accessing secrets as part of its run...

Seth Vargo · Answer 4 · Tue Jan 12 2021 10:57:41 GMT+0800 (China Standard Time)

These alerts fire!