Auditing events for Secrets Manager
As a security officer, auditor, or manager, you can use the Activity Tracker service to track how users and applications interact with IBM Cloud® Secrets Manager.
IBM Cloud Activity Tracker records service and user initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.
For more information, see the getting started tutorial for IBM Cloud Activity Tracker.
Audit devices that you can enable with Vault, such as the syslog
audit device, are not supported by Secrets Manager.
Events for secrets
The following table lists the secret actions that generate an event.
Action | Description |
---|---|
secrets-manager.secret.create |
Create a secret. |
secrets-manager.secrets.list |
List secrets. |
secrets-manager.secret.read |
Get a secret. |
secrets-manager.secret.rotate |
Rotate a secret. |
secrets-manager.secret-credentials.delete |
Delete the IBM Cloud API key that is associated with a secret. |
secrets-manager.secret.delete |
Delete a secret. |
secrets-manager.secret-metadata.read |
View the metadata of a secret. |
secrets-manager.secret-metadata.update |
Update the metadata of a secret. |
secrets-manager.secret-policies.set |
Set secret policies. |
secrets-manager.secret-policies.get |
Get secret policies. |
Events for secret groups
The following table lists the secret group actions that generate an event.
Action | Description |
---|---|
secrets-manager.secret-group.create |
Create a secret group. |
secrets-manager.secret-groups.list |
List secret groups. |
secrets-manager.secret-group.read |
View the details of a secret group. |
secrets-manager.secret-group.update |
Update a secret group. |
secrets-manager.secret-group.delete |
Delete a secret group. |
Events for secret locks
The following table lists the secret lock actions that generate an event.
Action | Description |
---|---|
secrets-manager.secret-locks.create |
Create a secret lock. |
secrets-manager.secret-locks.list |
List secret locks. |
secrets-manager.secret-locks.delete |
Delete a secret lock. |
secrets-manager.secrets-locks.list |
List secret locks. |
secrets-manager.secret-version-locks.create |
Create secret version locks. |
secrets-manager.secret-version-locks.list |
List secret version locks. |
secrets-manager.secret-version-locks.delete |
Delete secret version locks. |
Events for instance operations
The following table lists the instance operation actions that generate an event.
Action | Description |
---|---|
secrets-manager.instance.login |
Log in to Vault. |
secrets-manager.configuration.create |
Create a new configuration. |
secrets-manager.configuration-action.create |
Create a new configuration action. |
secrets-manager.configurations.list |
List configurations. |
secrets-manager.configuration.read |
View the details of a configuration. |
secrets-manager.configuration.update |
Update a configuration. |
secrets-manager.configuration.delete |
Delete a configuration. |
secrets-manager.endpoints.view |
Get service instance endpoints. |
secrets-manager.notifications-registration.create |
Create a registration with Event Notifications. |
secrets-manager.notifications-registration.read |
Get Event Notifications registration details. |
secrets-manager.notifications-registration.delete |
Delete an Event Notifications registration. |
secrets-manager.notifications-registration.test |
Send a test event. |
Viewing events
Events that are generated by an instance of the Secrets Manager service are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.
IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launching the UI through the IBM Cloud UI.
Analyzing events
Successful events that are generated by an instance of the Secrets Manager service contain various fields that can help you to identify the initiator, the target resource, and the outcome of each completed action in your instance. For more information about the components that make up an event, see the IBM Cloud Activity Tracker documentation.
Due to the sensitivity of secrets, when an IBM Cloud Activity Tracker event is generated as a result of an API call to the Secrets Manager service, the generated event does not include the actual contents of a secret. Sensitive data, such as an API key or password, is replaced with identifying information about the secret only, or it is omitted from generated events altogether.
You can create views and alerts from all of your Secrets Manager instances, or from a specific instance.
To target a specific instance, replace host:secrets-manager
with app:{INSTANCE_CRN}
.
Query for finding all create secret actions:
Run the following query to find all create secret actions.
host:secrets-manager action:secrets-manager.secret.create
The action value can be replaced with any other applicable action.
Query for finding unauthorized access attempts
To see unauthorized access attempts, run the following query.
host:secrets-manager reason.reasonType:Unauthorized
To learn more about creating views and alerts, see the IBM Cloud Activity Tracker documentation.