Vault - Features

Description

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.Vault can be ordered from ITCare, using self service.

It is highly available because it is hosted on three virtual machines, each of them in a different availability zone.

Architecture

Topologies

RegionAreaAvailability Zone AAvailability Zone BAvailability Zone C

EB

EB-EMEA

EB

EB-HDS

ET

ET-EMEA

ET

ET-HDS

Resiliency

Distribution of nodes by availability zone :

Availability Zone AAvailability Zone BAvailability Zone C

Node 1

Node 2

Node 3

Features

This section is to list which feature / capabilities are available to customer, and how to request / perform them :

Self-service

Customer can perform action autonomously.

On Request

Customer can request for the action to be done to cegedim.cloud support team.

FeaturesSelf-serviceOn RequestComments

SSH Access

SSH access is disabled and reserved to cegedim.cloud administrators.

API access

Clients can use Vault via API calls

HTTPS access

Clients can use Vault via HTTPS WebUI

Resources

Each of the three nodes has the following hardware characteristics: 2 CPUs, 4 Go of RAM and 90 Go of SSD disk.

Diagram

Security

Authentication

Vault PaaS is available over HTTPS using administration accounts. This ensures centralized authentication.

Authorizations

Bu default, there are two roles :

  • security admin, which have full read access on Vault clusters

  • cluster admin, which can:

  • Read system health check

  • Enable and manage authentication methods across Vault

  • Create and manage ACL policies across Vault, except on cluster_admin and security_admin policies

  • Enable and manage the key/value secret engines at secret/ path

  • Enable and manage secrets engine

  • Manage Identities

Secured Transport

All traffic is sent over HTTPS. No data are sent unencrypted.

Log Management

Vault has two types of logs - Vault server operational logs and audit logs. The audit logs record every request made to Vault as well as the response sent from Vault. The server logs are operational logs that provide insights into what the server is doing internally and in the background as Vault runs.

Audit devices is enabled and the output logs are stored in the /var/log/vault/vault_audit.log file. Vault servers receive the UF_ALL_IT-vault App which sends the log files to Splunk over syslog, in the vault index and apply the vault sourcetype.

Data location

Data are located in EB or ET, depending of the DC that has been chosen by the customer when ordering the Vault cluster.

Policies

This section list the policies management :

PoliciesDefaultEnforcedComments

TTL

30 minutes

HA

ha-mode configured to ALL

A request ticket will have to be created to to modify these policies.

Passwords

There is only one built-in account in case of emergency. It is the root token and it is has full rights on the Vault cluster.

It is securely stored in the transit vault server and any usage of the root token triggers an alerts in the SIEM.

Monitoring

cegedim.cloud provides basic monitoring on memory, CPU, network and disk space.

In addition, the following custom monitorings have been added:

Server nameService nameConditions for success

All Vault URLs

TLS_HTTPS_CONNECT

HTTP OK: Status line output matched "200,301,302,303,401,403,429"

All Vault servers

APP_VAULT_HEALTH

HTTP OK: Status line output matched "200,429"

Last updated