LS-06: Password Vault for Administrator Accounts

Control Description

Access to administrator accounts is governed via a password vault. Only appropriate users are allowed access to the password vault via the requirement of the use of a valid user name and password to gain access. Logging on the password vault is enabled to track individuals accessing privileged accounts.

Plain Meaning

This control requires organizations to use a password vault (privileged access management system) to store and manage administrator account credentials. Only authorized users can access the vault, and all access to privileged accounts through the vault must be logged for audit purposes.

Implementation: Multi-Platform Secret Management

Primary Solutions

We utilize multiple secret management platforms to ensure secure storage and access control for administrator accounts, with no direct access to credentials.

1. AWS Secrets Manager

Purpose: Centralized secret management for AWS resources and applications

• Automatic Rotation: Built-in credential rotation capabilities
• KMS Integration: Encryption using AWS Key Management Service
• Access Control: IAM-based access policies and permissions
• Audit Logging: CloudTrail integration for access tracking

2. AWS Systems Manager Parameter Store

Purpose: Secure parameter storage for configuration data

• Hierarchical Organization: Structured parameter naming conventions
• Encryption: KMS encryption for sensitive parameters
• Access Control: IAM policies for parameter access
• Version Control: Parameter versioning and change tracking

3. Kubernetes Secrets

Purpose: Secret management for containerized applications

• Base64 Encoding: Encoded secret storage in Kubernetes
• RBAC Integration: Role-based access control for secret access
• Namespace Isolation: Secret isolation by Kubernetes namespaces
• Audit Logging: Kubernetes audit logs for secret access

4. GitHub Secrets

Purpose: Secure credential storage for CI/CD pipelines

• Repository-Level: Secrets scoped to specific repositories
• Environment Secrets: Environment-specific secret management
• Access Control: Repository and organization-level permissions
• Audit Trail: GitHub audit logs for secret usage

Access Control Implementation

No Direct Access Policy

• Credential Isolation: No direct access to administrator passwords
• Vault-Only Access: All credential access through approved vaults
• Temporary Access: Time-limited access when required
• Approval Workflow: Management approval for credential access

Authentication Requirements

• Multi-Factor Authentication: MFA required for all vault access
• Strong Passwords: Complex password requirements for vault access
• Session Management: Automatic session timeout and cleanup
• Access Logging: Complete audit trail of all vault access

GitHub Documentation

• GitHub Secrets
• GitHub Security