Secrets Management

Secrets management services allow to put all secrets in one place and protect it.

Secrets management services allow to put all secrets in one place and protect it. The goal is to reduce attack surface and make secrets management easy.

Types of Secrets

Use-cases

There are a number of different use-cases for managing secrets. The ones we’ll address in this documentation are specificially:

System of Record

The “System of Record” is the authorative source for where secrets are kept. For any given secret, there should be a single “source of truth”.

Depending on the underlying technology, there will be a few different systems. For example, we prescribe a combination of SSM+KMS for platform services managed with Chamber, encrypted S3 buckets for master private keys, Kubernetes secrets for services running within a Kubernetes cluster, and 1Password for Teams as a last resort for all other secrets.

API

The API is the interface by which secrets are passed to the underlying system. Whenever possible, we presecribe using the 12-factor style environment variables.

Key Rotation

Keys should be rotated as often as possible or reasonable. The more frequently keys are rotated, the more the keys are devalued.

Audit Trails