IBM Cloud Docs
Auditing events for Secrets Manager

Auditing events for Secrets Manager

As a security officer, auditor, or manager, you can use the Activity Tracker service to track how users and applications interact with IBM Cloud® Secrets Manager.

IBM Cloud Activity Tracker records service and user initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.

For more information, see the getting started tutorial for IBM Cloud Activity Tracker.

Audit devices that you can enable with Vault, such as the syslog audit device, are not supported by Secrets Manager.

Events for secrets

The following table lists the secret actions that generate an event.

Table 1. List of secret events
Action Description
secrets-manager.secret.create Create a secret.
secrets-manager.secrets.list List secrets.
secrets-manager.secret.read Get a secret.
secrets-manager.secret.rotate Rotate a secret.
secrets-manager.secret-credentials.delete Delete the IBM Cloud API key that is associated with a secret.
secrets-manager.secret.delete Delete a secret.
secrets-manager.secret-metadata.read View the metadata of a secret.
secrets-manager.secret-metadata.update Update the metadata of a secret.
secrets-manager.secret-policies.set Set secret policies.
secrets-manager.secret-policies.get Get secret policies.

Events for secret groups

The following table lists the secret group actions that generate an event.

Table 2. List of secret group events
Action Description
secrets-manager.secret-group.create Create a secret group.
secrets-manager.secret-groups.list List secret groups.
secrets-manager.secret-group.read View the details of a secret group.
secrets-manager.secret-group.update Update a secret group.
secrets-manager.secret-group.delete Delete a secret group.

Events for secret locks

The following table lists the secret lock actions that generate an event.

Table 2. List of secret lock events
Action Description
secrets-manager.secret-locks.create Create a secret lock.
secrets-manager.secret-locks.list List secret locks.
secrets-manager.secret-locks.delete Delete a secret lock.
secrets-manager.secrets-locks.list List secret locks.
secrets-manager.secret-version-locks.create Create secret version locks.
secrets-manager.secret-version-locks.list List secret version locks.
secrets-manager.secret-version-locks.delete Delete secret version locks.

Events for instance operations

The following table lists the instance operation actions that generate an event.

Table 3. List of instance operation events
Action Description
secrets-manager.instance.login Log in to Vault.
secrets-manager.configuration.create Create a new configuration.
secrets-manager.configuration-action.create Create a new configuration action.
secrets-manager.configurations.list List configurations.
secrets-manager.configuration.read View the details of a configuration.
secrets-manager.configuration.update Update a configuration.
secrets-manager.configuration.delete Delete a configuration.
secrets-manager.endpoints.view Get service instance endpoints.
secrets-manager.notifications-registration.create Create a registration with Event Notifications.
secrets-manager.notifications-registration.read Get Event Notifications registration details.
secrets-manager.notifications-registration.delete Delete an Event Notifications registration.
secrets-manager.notifications-registration.test Send a test event.

Viewing events

Events that are generated by an instance of the Secrets Manager service are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.

IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launching the UI through the IBM Cloud UI.

Analyzing events

Successful events that are generated by an instance of the Secrets Manager service contain various fields that can help you to identify the initiator, the target resource, and the outcome of each completed action in your instance. For more information about the components that make up an event, see the IBM Cloud Activity Tracker documentation.

Due to the sensitivity of secrets, when an IBM Cloud Activity Tracker event is generated as a result of an API call to the Secrets Manager service, the generated event does not include the actual contents of a secret. Sensitive data, such as an API key or password, is replaced with identifying information about the secret only, or it is omitted from generated events altogether.

You can create views and alerts from all of your Secrets Manager instances, or from a specific instance.
To target a specific instance, replace host:secrets-manager with app:{INSTANCE_CRN}.

Query for finding all create secret actions:

Run the following query to find all create secret actions.

host:secrets-manager action:secrets-manager.secret.create

The action value can be replaced with any other applicable action.

Query for finding unauthorized access attempts

To see unauthorized access attempts, run the following query.

host:secrets-manager reason.reasonType:Unauthorized

To learn more about creating views and alerts, see the IBM Cloud Activity Tracker documentation.