Well-Architected Framework
Seal Vault during a security incident
In the case of a security incident, it can be important to lock down your most sensitive services such as Vault until the issue is resolved. Incidents such as credential leakage, intrusion, or denial-of-service attacks mean that timely mitigation is top priority. Vault provides two features to help you lock the service down until you resolve the incident:
- Seal: Vault discards its in-memory key to unlock data, preventing it from responding to any request to access secrets.
- API Lock: If you do not require Vault to be entirely sealed, you can instead lock the API for individual namespaces.
After a security incident, it's important to review what caused it, and invalidate any compromised credentials. Boundary provides audit logging and session recording, giving you valuable insight into how an attacker gained access to your infrastructure. Vault Radar automatically detects and identifies unmanaged secrets in your code, letting you know if there are any sensitive credentials that might be used to gain access to your infrastructure.
HashiCorp resources:
- Vault emergency break-glass features
- Boundary audit log streaming
- Boundary recorded sessions operations
- What is Vault Radar?
Next steps
In this section of how to manage leaked secrets, you learned. Managing leaked secrets is part of the Secure systems pillar.