5.4.2 Consider external secret storage

Information

Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.

Rationale:

Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution.

Default Value:

By default, no external secret management is configured.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv7|13

Plugin: Unix

Control ID: f453cbad226ab8da4e4ba5b4b2efe1d99ff48c76b0c668f3aaf129720f3e7849