Correlate findings with AWS Secrets Manager

When HCP Vault Radar connects to AWS Secrets Manager, Vault Radar can correlate findings with secrets stored in AWS Secrets Manager. This allows you to identify what secrets you need to rotate.

Connect AWS Secrets Manager

Before you can correlate findings with AWS Secrets Manager, you need to deploy the Radar agent. Once you deploy the agent, you can configure and connect AWS Secrets Manager to the agent.

Prerequisites

You need one of the following AWS authentication methods:

IAM role authentication with an EC2 instance or configured IAM role
Environment variables authentication with AWS Access Key ID and Secret Access Key

Both authentication methods support an optional assume role ARN for cross-account access or elevated permissions. For more information about assuming roles, refer to the AWS STS AssumeRole documentation.

Required permissions

The IAM user, role, or assumed role must have the following permissions:

Service	Permission	Documentation
Secrets Manager	`secretsmanager:ListSecrets`	ListSecrets API
Secrets Manager	`secretsmanager:DescribeSecret`	DescribeSecret API
Secrets Manager	`secretsmanager:GetSecretValue`	GetSecretValue API
Secrets Manager	`secretsmanager:ListSecretVersionIds`	ListSecretVersionIds API
EC2	`ec2:DescribeRegions`	DescribeRegions API
STS	`sts:GetCallerIdentity`	GetCallerIdentity API

Example AWS IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:ListSecrets",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

Agent configuration with AWS Secrets Manager

Set up and manage AWS Secrets Manager from the Vault Radar module in the HCP Portal.

Click Settings.
Click Secret Managers.
Click Connect new secret manager.
Select AWS Secrets Manager and click Next.
Select an AWS authentication method from the Authentication method pulldown menu.
Enter the details for the selected method and click Next to validate the connection.
- Select IAM Role if you want to use instance profile or role-based authentication.
- (Optional) Enter an assume role ARN in the Assume Role ARN text field if you need to assume a different role for access.
- Select AWS Credentials from environment variables if you want to use access keys.
- Enter your AWS Access Key ID location in the AWS Access Key ID Env variable text field (default: env://AWS_ACCESS_ID_LOCATION).
- Enter your AWS Secret Access Key location in the AWS Secret Access Key Env variable text field (default: env://AWS_SECRET_KEY_LOCATION).
- (Optional) Enter an assume role ARN in the Assume Role ARN text field if you need to assume a different role for access.

Vault Radar fetches all active regions for the account and automatically starts index scan for each region.