Vault - Features


Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.Vault can be ordered from ITCare, using self service.

It is highly available because it is hosted on three virtual machines, each of them in a different availability zone.




Distribution of nodes by availability zone :


This section is to list which feature / capabilities are available to customer, and how to request / perform them :


Each of the three nodes has the following hardware characteristics: 2 CPUs, 4 Go of RAM and 90 Go of SSD disk.




Vault PaaS is available over HTTPS using administration accounts. This ensures centralized authentication.


Bu default, there are two roles :

  • security admin, which have full read access on Vault clusters

  • cluster admin, which can:

  • Read system health check

  • Enable and manage authentication methods across Vault

  • Create and manage ACL policies across Vault, except on cluster_admin and security_admin policies

  • Enable and manage the key/value secret engines at secret/ path

  • Enable and manage secrets engine

  • Manage Identities

Secured Transport

All traffic is sent over HTTPS. No data are sent unencrypted.

Log Management

Vault has two types of logs - Vault server operational logs and audit logs. The audit logs record every request made to Vault as well as the response sent from Vault. The server logs are operational logs that provide insights into what the server is doing internally and in the background as Vault runs.

Audit devices is enabled and the output logs are stored in the /var/log/vault/vault_audit.log file. Vault servers receive the UF_ALL_IT-vault App which sends the log files to Splunk over syslog, in the vault index and apply the vault sourcetype.

Data location

Data are located in EB or ET, depending of the DC that has been chosen by the customer when ordering the Vault cluster.


This section list the policies management :

A request ticket will have to be created to to modify these policies.


There is only one built-in account in case of emergency. It is the root token and it is has full rights on the Vault cluster.

It is securely stored in the transit vault server and any usage of the root token triggers an alerts in the SIEM.

Monitoring provides basic monitoring on memory, CPU, network and disk space.

In addition, the following custom monitorings have been added:

Last updated