Vault - Features
Description
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.Vault can be ordered from ITCare, using self service.
It is highly available because it is hosted on three virtual machines, each of them in a different availability zone.
Architecture
Topologies
| Region | Area | Availability Zone A | Availability Zone B | Availability Zone C |
|---|---|---|---|---|
EB | EB-EMEA | |||
EB | EB-HDS | |||
ET | ET-EMEA | |||
ET | ET-HDS |
Resiliency
Distribution of nodes by availability zone :
| Availability Zone A | Availability Zone B | Availability Zone C | |
|---|---|---|---|
Node 1 | |||
Node 2 | |||
Node 3 |
Features
This section is to list which feature / capabilities are available to customer, and how to request / perform them :
Self-service | Customer can perform action autonomously. |
On Request | Customer can request for the action to be done to cegedim.cloud support team. |
| Features | Self-service | On Request | Comments |
|---|---|---|---|
SSH Access | SSH access is disabled and reserved to cegedim.cloud administrators. | ||
API access | Clients can use Vault via API calls | ||
HTTPS access | Clients can use Vault via HTTPS WebUI |
Resources
Each of the three nodes has the following hardware characteristics: 2 CPUs, 4 Go of RAM and 90 Go of SSD disk.
Diagram
Security
Authentication
Vault PaaS is available over HTTPS using administration accounts. This ensures centralized authentication.
Authorizations
Bu default, there are two roles :
security admin, which have full read access on Vault clusters
cluster admin, which can:
Read system health check
Enable and manage authentication methods across Vault
Create and manage ACL policies across Vault, except on cluster_admin and security_admin policies
Enable and manage the key/value secret engines at secret/ path
Enable and manage secrets engine
Manage Identities
Secured Transport
All traffic is sent over HTTPS. No data are sent unencrypted.
Log Management
Vault has two types of logs - Vault server operational logs and audit logs. The audit logs record every request made to Vault as well as the response sent from Vault. The server logs are operational logs that provide insights into what the server is doing internally and in the background as Vault runs.
Audit devices is enabled and the output logs are stored in the /var/log/vault/vault_audit.log file. Vault servers receive the UF_ALL_IT-vault App which sends the log files to Splunk over syslog, in the vault index and apply the vault sourcetype.
Data location
Data are located in EB or ET, depending of the DC that has been chosen by the customer when ordering the Vault cluster.
Policies
This section list the policies management :
| Policies | Default | Enforced | Comments |
|---|---|---|---|
TTL | 30 minutes | ||
HA | ha-mode configured to ALL |
A request ticket will have to be created to to modify these policies.
Passwords
There is only one built-in account in case of emergency. It is the root token and it is has full rights on the Vault cluster.
It is securely stored in the transit vault server and any usage of the root token triggers an alerts in the SIEM.
Monitoring
cegedim.cloud provides basic monitoring on memory, CPU, network and disk space.
In addition, the following custom monitorings have been added:
| Server name | Service name | Conditions for success |
|---|---|---|
All Vault URLs | TLS_HTTPS_CONNECT | HTTP OK: Status line output matched "200,301,302,303,401,403,429" |
All Vault servers | APP_VAULT_HEALTH | HTTP OK: Status line output matched "200,429" |
Last updated
