=Paper=
{{Paper
|id=Vol-3826/paper7
|storemode=property
|title=Universal centralized secret data management for automated public cloud provisioning
|pdfUrl=https://ceur-ws.org/Vol-3826/paper7.pdf
|volume=Vol-3826
|authors=Yevhenii Martseniuk,Andrii Partyka,Oleh Harasymchuk,Svitlana Shevchenko
|dblpUrl=https://dblp.org/rec/conf/cpits/MartseniukPHS24
}}
==Universal centralized secret data management for automated public cloud provisioning==
https://ceur-ws.org/Vol-3826/paper7.pdf
Universal centralized secret data management
for automated public cloud provisioning⋆
Yevhenii Martseniuk1,†, Andrii Partyka1,†, Oleh Harasymchuk1,† and Svitlana Shevchenko2,*,†
1
Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine
2
Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudryavska str., 04053 Kyiv, Ukraine
Abstract
In modern cloud environments, secret management plays a key role in ensuring the security of sensitive data,
such as passwords, API keys, credentials, and other critical resources. This paper discusses the use of HashiCorp
Vault as a universal platform for centralized secret management and automated provisioning of cloud resources.
A comparison is also made with native secret management services, such as AWS KMS, Azure Key Vault, and
Google Cloud KMS, to determine their capabilities and limitations in providing security. The comparison shows
that Vault offers more flexible and universal secret management thanks to advanced cryptographic methods and
integration with automation platforms. The research demonstrates that Vault provides secure storage, dynamic
creation, and automatic revocation of credentials, allowing access management based on security policies. The
integration of HashiCorp Vault with automation platforms like Rundeck and Ansible enables the automation of
cloud resource provisioning while maintaining information confidentiality and reducing the risk of human error.
The use of dynamic creation methods for temporary credentials enhances security and compliance with
standards, adhering to the principle of least privilege. The results highlight the importance of using HashiCorp
Vault as a central platform for managing secrets and credentials, which improves the overall level of security and
efficiency in cloud environments.
Keywords
HashiCorp Vault, secrets, automation, data security, dynamic credentials, AWS, authentication,
authorization, cloud infrastructure, centralized management 1
1. Introduction In the context of Zero Trust, effective secret management is
critically important for securing access to applications,
In the modern world of cloud computing, infrastructure is systems, and endpoints. Data must be properly protected
becoming increasingly ephemeral (temporary) and elastic, and not stored in plaintext, as this poses a significant risk of
adapting to changing loads and needs. The dynamic nature unauthorized access [5]. This necessitates centralized secret
of IP addresses and the lack of a clear network perimeter management and the use of intermediary software for key
introduce new challenges in ensuring cybersecurity, as management and data encryption [6].
traditional protection methods based on fixed network A secret is considered any information that requires
boundaries become less effective. Consequently, modern strict access restrictions, such as API encryption keys,
security systems are oriented towards the ‘Zero Trust’ passwords, certificates, or other credentials used for
principle, which assumes potential breaches within the authentication and authorization of access to resources [1].
network, regardless of its boundaries [1, 2]. In modern conditions, most web applications and various
The Zero Trust concept posits that no system or user services have already transitioned to a microservices
can be trusted by default; every access request must be architecture or are actively undergoing this transition. This
thoroughly verified, whether it originates from within the is because microservices architecture enhances flexibility,
organization’s internal network or externally [3]. This scalability, and independence in the development and
approach requires more integrated security methods, where deployment of individual system components [3]. However,
access to systems and endpoints is controlled directly, instead of a single monolithic configuration file, there are
rather than relying on being within a privileged network. now numerous small configuration files (one or several per
This means that instead of using IP addresses as the sole unit microservice), which require secure storage of their
of access, each application or service is given a unique contents.
identification, allowing it to work with the ephemeral and Additionally, environment variables are often used for
elastic nature of cloud infrastructure [4]. configuring service parameters instead of traditional
configuration files. As a result, each service has its unique
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0009-0009-2289-0968 (Y. Martseniuk);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0003-3037-8373 (A. Partyka);
∗
Corresponding author. 0000-0002-8742-8872 (O. Harasymchuk);
†
These authors contributed equally. 0000-0002-9736-8623 (S. Shevchenko)
yevhenii.v.martseniuk@lpnu.ua (Y. Martseniuk); © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
andrijp14@gmail.com (A. Partyka);
garasymchuk@ukr.net (O. Harasymchuk);
s.shevchenko@kubg.edu.ua (S. Shevchenko)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
72
Proceedings
�settings for connecting to databases, external APIs, message robust algorithms, ensure that without the
queues, caches, and other systems [4]. Moreover, other appropriate decryption keys, the data remains
parameters require secure storage, such as ‘salt’ (a modifier inaccessible [12].
used for password hashing) or keys for generating JWT tokens. 2. Insider Threats: Insider threats pose a significant
Thus, there is a significant number of entities that require risk to cloud environments. Employees or
secure storage to prevent unauthorized access [6]. contractors with access to sensitive data may
This research aims to identify the optimal tool for intentionally or unintentionally compromise
centralized secret management in cloud environments that security. Threshold cryptography methods and
meets modern security requirements and ensures flexibility distributed key management help mitigate this
and efficiency. The study includes an analysis of existing risk by ensuring that no individual has complete
native secret management services, such as AWS KMS, access to the secret key, thus limiting the potential
Azure Key Vault, and Google Cloud KMS, to evaluate their for malicious use of the data.
capabilities and limitations [1]. Additionally, the choice of 3. Ensuring Data Integrity and Confidentiality:
HashiCorp Vault as the best solution for secret management Data integrity and confidentiality are the most
is justified due to its ability to provide advanced important aspects of security in cloud
cryptographic methods, dynamic credential creation, environments. Advanced encryption methods,
integration with various automation platforms, and support such as DNA-based encryption or hybrid
for a universal approach to secret management in cryptography, provide robust mechanisms to
heterogeneous cloud infrastructures [7]. protect against tampering, and unauthorized
access and ensure that only authorized users can
2. Challenges and risks in public decrypt the data.
4. Scalability and Performance: Scalability is a key
clouds and native services for advantage of cloud computing, but it also creates
their mitigation security challenges. Decentralized encryption and
The rapid adoption of cloud computing has fundamentally other scalable cryptographic solutions enable cloud
changed approaches to data storage and management. Due environments to handle large volumes of data
to the high convenience, scalability, and flexibility offered efficiently without compromising security. They
by public cloud services such as Amazon Web Services provide effective key management, prevent data
(AWS), Microsoft Azure, and Google Cloud Platform (GCP), duplication, and enhance the overall performance of
organizations are increasingly moving to cloud technologies systems.
for deploying their operations and storing data. However, 5. Regulatory Compliance and Building Trust:
these changes come with significant challenges related to Implementing reliable secret storage solutions
ensuring the security and privacy of information [8]. helps organizations not only protect their data but
Reliable secret storage solutions that include secure also build trust with their clients and ensure
management of keys, passwords, and other sensitive data compliance with regulatory requirements, such as
are critically important for protection against unauthorized GDPR and HIPAA. This is achieved by
access and potential data breaches. demonstrating a commitment to data security and
By moving their data and applications to public cloud using advanced protection methods [13].
infrastructures, organizations face some security challenges
inherent to cloud environments. Cloud environments, by 3. Native services for secure secret
nature, involve storing data on remote servers managed by management
third parties. This setup creates potential vulnerabilities, as
sensitive information, such as encryption keys, passwords, To address these issues, public cloud providers like AWS,
and certificates, must be securely managed and protected Azure, and GCP offer their own built-in secret management
from unauthorized access [9]. The lack of effective secret services:
management solutions significantly increases the risks of data
leaks, unauthorized access, and insider threats [10]. 3.1. AWS key management service
Therefore, the implementation of advanced cryptographic AWS Key Management Service (KMS) provides
methods for protecting secrets in the cloud and ensuring data centralized control over cryptographic keys used to protect
security is especially important [11]. data stored within AWS infrastructure. This service is
closely integrated with other AWS cloud services, allowing
2.1. Main security challenges and risks in automatic encryption of data within those services and
public clouds managing access to the keys needed for decryption.
Integration with AWS CloudTrail enables auditing of key
1. Vulnerability to Unauthorized Access: The use
operations, providing detailed information about who used
of cloud services requires storing keys, passwords,
specific keys, on which resources, and when.
and certificates in a secure environment. However,
AWS KMS also simplifies the process for developers to
cloud environments themselves can be targets of
add encryption or digital signing capabilities to their
attacks, making effective secret management
software, either directly or through the use of AWS SDK,
critically important to prevent unauthorized
which supports AWS Encryption SDK as the key provider
access. Even if data is intercepted, advanced
for encrypting and decrypting data locally in applications.
cryptographic methods, such as encryption using
73
�The service allows the effective management of the lifecycle 3.2. Azure key vault: A native service for
and permissions of keys, including the ability to create new secure secrets management
keys at any time and manage their permissions separately
from the rights to use them [14]. Users can choose between Azure Key Vault is a cloud service from Microsoft
keys generated in AWS KMS or other options, such as designed for the secure storage of secrets and access
importing keys from their key management infrastructure, management. Secrets are considered data that require strict
using keys stored in an AWS CloudHSM cluster, or keys access control, such as API keys, passwords, and
from an external key manager outside of AWS. AWS KMS cryptographic keys. Azure Key Vault supports two types of
also supports the automatic rotation of root keys once a year containers: general vaults and managed Hardware Security
without the need to re-encrypt previously encrypted data, Module (HSM) pools. Vaults are used for storing software
ensuring their long-term security. The service retains old keys, secrets, and certificates with support for Hardware
versions of keys, making them available for decrypting Security Modules (HSMs), while HSM pools are exclusively
previously encrypted data. Key management is performed designed for storing keys protected by HSM hardware [17].
through the AWS console, AWS SDK, or AWS Command To ensure secure data transmission between Azure Key
Line Interface (CLI). Vault and clients, the service uses the Transport Layer
Security and Compliance: AWS KMS is designed so Security (TLS) protocol. TLS ensures reliable authentication,
that even AWS employees do not have access to your message confidentiality, data integrity, and detection of
plaintext keys. This is achieved through the use of unauthorized alterations, interceptions, or message
Hardware Security Modules (HSMs) that are validated forgeries. Perfect Forward Secrecy (PFS) further secures
against the Federal Information Processing Standards (FIPS) connections between clients and Microsoft’s cloud services
140-2 of the U.S. National Institute of Standards and by using unique keys, including 2048-bit RSA encryption
Technology (NIST). The FIPS 140-2 Cryptographic Module keys. This configuration significantly complicates the
Validation Program ensures that HSMs provide robust interception and access to data during its transmission.
protection for the confidentiality and integrity of keys. Access to Azure Key Vault is managed through two
The HSMs used in AWS KMS serve as the cryptographic interaction planes: the management plane and the data
root of trust and create a secure hardware environment for plane.
performing all cryptographic operations within KMS. All
key material for KMS keys is generated in AWS KMS HSMs, Management Plane: This plane is used for
and all operations requiring access to plaintext keys are administering Key Vault, including creating and
strictly performed within the HSMs, in compliance with deleting key vaults, retrieving their properties, and
FIPS 140-2 Level 3 security requirements [15]. configuring access policies.
Updates to the HSM firmware in AWS KMS are controlled Data Plane: This plane is intended for working
by multi-party access management and are reviewed by with the data stored in the vaults. It allows adding,
independent expert groups at Amazon. All firmware changes deleting, and modifying keys, secrets, and
are sent to an accredited NIST laboratory for verification of certificates.
compliance with FIPS 140-2 Level 3 security standards. Your
Authentication in both planes is handled using the
plaintext keys are never written to disk and are only used in
Microsoft Entra ID. The management plane employs
the volatile memory of the HSM for the duration required to
Azure Role-Based Access Control (Azure RBAC), while the
perform the requested cryptographic operation. This applies
data plane uses Key Vault access policies alongside Azure
to cases where keys are created on user request, imported into
RBAC to manage operations within the vault.
the service, or created in an AWS CloudHSM cluster using a
Access to either plane of Azure Key Vault requires
dedicated key storage function.
proper authentication and authorization of all calling
Regulatory Compliance and Key Geographical
entities (users or applications). The authentication process
Control: AWS KMS allows users to choose whether to
identifies the requesting party, while authorization
create keys restricted to a single region or keys that can be
determines the permissible operations for that entity. Azure
used across multiple regions. This is crucial for meeting
Key Vault uses Microsoft Entra ID to authenticate any
regulatory requirements regarding the storage and
security principal that needs access to Azure resources [18].
processing of data within specific geographical boundaries.
Keys created for a single region are never transferred
3.3. Security principles and authentication
outside of that region, ensuring data control within the
defined jurisdiction.
mechanisms
The benefits of AWS KMS include flexibility in A security principal in Azure is an entity that represents a
choosing encryption methods, integration with other AWS user, group, service, or application that requires access to
services, a high level of security through the use of certified resources. Each security principal in Azure is assigned a
HSMs, and the ability to comply with various regulatory unique object identifier. Types of security principals include:
standards, such as GDPR or HIPAA. This makes AWS KMS
a powerful tool for ensuring data security and privacy in User Security Principal: Represents an individual
cloud environments [16]. user with a profile in Microsoft Entra ID.
Group Security Principal: Represents a group of
users created in Microsoft Entra ID. Any roles or
74
� permissions assigned to the group automatically 3.5. Data protection in Google Cloud
apply to all its members.
Google Cloud automatically encrypts all data using an
Service Principal: Used to identify an application
internal mechanism called Keystore. This is a key
or service (a piece of code), rather than a user or
management service that automatically generates and
group. The object identifier for a service principal
manages keys without user intervention. Keystore supports
is called a client ID and serves a similar function to
a primary key for encrypting new data encryption keys, as
a username. The client’s secret or certificate for a
well as a limited number of older key versions to maintain
service principal acts as the password.
compatibility and allow decryption of existing data. Users
Many Azure services support the assignment of a do not have direct control over these keys or access to their
Managed Identity, which provides automatic management usage logs.
of the client ID and certificate. This is the most secure and Data from multiple clients may be encrypted with the
recommended method of authentication in Azure, as it same default key. This process relies on cryptographic
reduces the risks associated with manual credential modules validated for compliance with FIPS 140-2 Level 1,
management [19]. ensuring a high level of data protection [22].
Azure Key Vault is a key security component in the Google Cloud KMS provides a comprehensive set of
Microsoft Azure ecosystem, providing reliable management tools for managing encryption keys in the cloud
and storage of secrets. Its functionality enables environment, allowing organizations to protect data
organizations to control access to critical data using according to modern security requirements. The use of
advanced authentication, authorization, and encryption different types of keys, integration with other cloud
technologies that meet the highest security standards. services, and support for encryption standards enable
clients to flexibly adapt the level of protection to their needs
3.4. Google cloud key management service and to ensure compliance with regulatory requirements.
Considering the aforementioned risks, it can be
Google Cloud KMS (Key Management Service) is a cloud concluded that secret management platforms such as AWS
service for centralized encryption key management provided Key Management Service (KMS), Azure Key Vault, and
within the Google Cloud ecosystem. It allows businesses to Google Cloud Key Management Service (KMS) are key
create, use, and manage cryptographic keys, as well as securely tools for overcoming modern security challenges in cloud
perform cryptographic operations for other Google cloud environments. They provide integrated, scalable, and
services. The primary purpose of Google Cloud KMS is to reliable solutions for managing cryptographic keys and
enable organizations to control the process of data encryption other sensitive data, helping organizations minimize the
and key management within the cloud infrastructure [20]. risks associated with storing secrets in the cloud [23].
By default, all data stored in Google Cloud is However, even with these tools, organizations remain
automatically encrypted. Using Google Cloud KMS, users vulnerable to the risks mentioned above:
gain greater control over how their data is encrypted at rest
and how encryption keys are managed. This service 1. Vulnerability to Unauthorized Access: All
provides a high level of security and scalability, meeting the three platforms store critical keys and secrets in
needs of various industries and types of software. Google the cloud, which potentially exposes them to
Cloud KMS allows you to create and use keys for encrypting unauthorized access, including data breaches or
data in cloud services and applications, ensuring their cyber-attacks. AWS KMS, Azure Key Vault, and
protection both during storage and transmission. Google Cloud KMS implement appropriate
The Google Cloud KMS platform offers centralized security measures, such as using Hardware
management of cryptographic keys for both direct use and Security Modules (HSMs) and advanced
integration with other cloud resources and applications. It encryption methods, but the risk persists,
supports various key sources for encryption: especially if authentication and access
management processes are not properly
Cloud KMS Software Keys: Allow flexible data configured.
encryption using manageable symmetric or 2. Internal Threats: Insider threats, such as
asymmetric keys. unauthorized actions by employees or contractors,
Cloud Hardware Security Modules (HSMs): pose a significant risk to any cloud infrastructure.
Used for secure storage and processing keys in All three platforms use various methods to
environments with high security requirements. mitigate these risks: AWS KMS supports threshold
Customer-Managed Encryption Keys cryptography to distribute access to keys, Azure
(CMEK): Provide the option to select and use keys Key Vault implements role-based access control
generated by Cloud KMS for other Google Cloud (Azure RBAC), and Google Cloud KMS uses
services. centralized management and auditing capabilities
Cloud External Key Manager (EKM): Allows to prevent unauthorized access.
the use of external keys that are stored outside of 3. Ensuring Data Integrity and Confidentiality:
Google Cloud. Cloud data storage requires continuous assurance
Customer-Supplied Encryption Keys (CSEK): of data integrity and confidentiality. While AWS
Customers can use their encryption keys, KMS, Azure Key Vault, and Google Cloud KMS use
maintaining full control over these keys [21]. advanced encryption methods and access control
75
� mechanisms, storing data on remote servers certificates. Vault provides a unified interface for managing
creates a risk of data tampering or unauthorized any secrets, offering strict access control and detailed audit
modification. logging [26].
4. Scalability and Performance: The scalability of This is particularly important in cases where API keys for
cloud environments also presents certain security external services or credentials for interacting in service-
challenges. The use of decentralized encryption oriented architectures are used extensively and across various
solutions, as in the case of Google Cloud KMS, can environments, complicating the understanding of who has
efficiently handle large volumes of data but may access to which secrets (Fig. 1).
require additional resources to maintain security.
Azure Key Vault and AWS KMS offer scaling 1. Authentication — The process by which a client
solutions, but the risk of reduced performance provides information that allows Vault to
when processing large amounts of data should be determine if the client is who it claims to be. After
considered. successful authentication, a token is generated
5. Compliance and Building Trust: Implementing that is associated with a specific policy.
reliable secret storage solutions is also associated 2. Verification — Vault verifies the client using
with the risk of non-compliance with regulatory external trusted sources, such as GitHub, LDAP,
requirements, such as GDPR or HIPAA, which can AppRole, etc., which provides an additional layer
lead to fines and reputational damage. All three of security.
platforms offer tools to ensure compliance with 3. Authorization — The process of mapping the
standards, but their effective use requires client to a security policy defined in Vault. A policy
organizations to carefully configure security consists of a set of rules that determine which API
policies and maintain constant monitoring [24]. endpoints the client has access to with their token.
Policies provide a declarative way to grant or
Thus, AWS KMS, Azure Key Vault, and Google restrict access to specific resources in the vault.
Cloud KMS offer effective tools for secret management and 4. Access — After successful authentication and
data protection in cloud environments but require proper authorization, Vault grants the client access to
configuration and continuous monitoring to minimize secrets, keys, and encryption capabilities based on
security risks. Implementing these solutions allows the policies associated with the client’s identifier.
organizations to reduce the risk of data breaches, prevent The client can use the issued token to perform
unauthorized access, ensure data integrity and future operations [27].
confidentiality, and comply with regulatory requirements.
However, the success of these measures depends on the Thus, HashiCorp Vault demonstrates an example of a
level of integration with existing cloud services and the universal secret management platform that integrates
specific needs of the business. modern cryptographic methods and provides a flexible and
scalable approach to data security. Such a platform allows the
4. Universal secret management centralized management of secrets and ensures compatibility
with various cloud environments and services, providing
platform robust access control and auditing capabilities. This makes it
In modern cloud environments, the need for effective and a crucial tool for organizations looking to enhance their data
reliable secret management is becoming increasingly security and meet modern information protection
important. Advanced cryptographic solutions, such as state- requirements.
of-the-art algorithms, threshold cryptography, hybrid
automated security systems, server-based decentralized 4.1. Challenges and risks associated with
encryption, DNA-based encryption, and hybrid secret management and the vault’s role
cryptography, provide robust mechanisms for protecting in addressing them
secrets in the cloud. However, to achieve effectiveness, it is
essential to have a universal secret management platform Modern enterprises face numerous challenges and risks
capable of integrating these solutions and providing related to secret management, such as credentials, API keys,
flexible, scalable, and centralized management of keys and passwords, and other confidential data.
other sensitive data [25]. Diversity and Lack of Centralized Control: Most
HashiCorp Vault is an example of such a secret organizations have credentials scattered across their
management and encryption system based on identity. Vault environments: in plaintext within source code, configuration
provides encryption services that ensure secure access to files, or even in emails. This creates significant challenges in
secrets using authentication and authorization methods to tracking and controlling access, increasing the risk of
verify and restrict access. This tool allows the protection, unauthorized data use. The dispersion of secrets complicates
storage, and management of secrets and other sensitive data understanding who has access to which resources and
through various interfaces, such as a UI, CLI, or HTTP API. A reduces organizations’ ability to respond promptly to security
secret is any information that requires strict access control, incidents.
such as tokens, API keys, passwords, encryption keys, or
76
�Figure 1: Universal Secret Management Platform
Increased Risk of Malicious Attacks: Storing credentials Dynamic Secrets: Vault can generate secrets on
in plaintext or vulnerable formats increases the likelihood demand for specific systems, such as databases or
of their compromise by both internal and external attackers. cloud services. For instance, if an application needs
In the event of a data breach or misuse of credentials, the access to an S3 bucket, Vault creates an AWS key
consequences can be catastrophic, including data loss, pair with valid permissions and automatically
leakage of confidential information, and significant revokes them after the lease period expires,
financial losses. significantly reducing the risk of compromise.
Inability to Manage the Secret Lifecycle: Without a Data Encryption: Vault provides the capability to
specialized solution, organizations often struggle to encrypt and decrypt data without storing it,
effectively manage the lifecycle of secrets, including allowing security teams to control encryption
generation, storage, updating, and revocation of credentials. parameters while developers can store encrypted
This leads to the accumulation of outdated or compromised data in secure locations, such as SQL databases,
data, increasing the organization’s vulnerability to attacks without the need to create their encryption
[28]. methods [29].
HashiCorp Vault was designed to address these issues Lease and Renewal of Secrets: All secrets in
by providing a universal secret management platform that Vault are associated with leases. After the lease
centralizes credentials, ensures their protection, and offers period expires, the secret is automatically revoked,
effective management tools. The core features of Vault aim helping to avoid the storage of outdated or
to minimize risks associated with secret management as insecure credentials. Clients have the option to
follows: extend the lease using built-in APIs for renewal.
Revocation of Secrets: Vault has built-in support
Secure Secret Storage: Vault allows the storage
for revoking secrets, allowing the immediate
of any secret keys and values by encrypting them
invalidation of access to specific credentials or all
before writing them to persistent storage. This
secrets associated with a particular user or data
ensures that even if unauthorized access to the raw
type. This feature helps to quickly respond to
storage occurs, the secrets remain protected as
security incidents and prevents the further use of
they cannot be read without appropriate access
compromised data [30].
rights.
77
�Thus, HashiCorp Vault effectively addresses the and credential management, ensuring a secure and efficient
challenges of dispersion, reduced management environment setup. Vault acts as a secret management
transparency, and increased attack risk by providing cluster, critical for automation tasks carried out with
centralized secret management, robust encryption, dynamic Rundeck — a platform that integrates secrets into its tasks,
creation and revocation of credentials, and detailed audit primarily through Ansible instructions [31].
logs. This makes it an essential tool for enterprises looking Access to secrets in Vault is achieved through the
to enhance the security of their confidential data and protect AppRole authentication method, which supports machine-
it from modern cyber threats. to-machine authentication, providing secure access to
secrets. This method allows the creation of roles with
4.2. Using HashiCorp Vault for automating specific policies that regulate access to secrets. Each role is
cloud environments associated with a RoleID and SecretID, used for
authentication, ensuring that only authorized services, such
In the context of automating cloud resource provisioning,
as Rundeck, have access to the needed secrets (Fig. 2).
HashiCorp Vault serves as a centralized platform for secret
Figure 2: Cloud Environments Management Automation
Most secret functions in this architecture are based on the Vault and obtain the necessary secrets. These secrets are then
HashiCorp Vault Key/Value (KV) v2 mechanism, which used in Ansible playbooks, which are part of the task,
provides advanced capabilities for storing and managing ensuring secure automation of various operations without
data. KV v2 supports secret version history, allowing the exposing confidential information in task scripts. This setup
secure storage of multiple versions of a single secret and the not only provides centralized and secure secret management
ability to revert to previous versions in case of accidental but also automates credential handling, reducing the risk of
deletion or unwanted changes. Additionally, this human error and enhancing the efficiency of automation
mechanism includes metadata for each secret, aiding in workflows [33].
better management and lifecycle control of the stored data, In addition to static secrets, this system utilizes AWS
ensuring detailed access control, and audit logging dynamic secret management in HashiCorp Vault,
necessary for maintaining data integrity and confidentiality allowing the automatic creation of temporary AWS
[32]. credentials (Fig. 3). This is particularly useful for tasks that
In practice, when a task is launched on Rundeck, it uses require modifications to the AWS cloud environment,
the provided RoleID and SecretID to authenticate with enhancing security and compliance. The AWS mechanism
78
�in Vault is configured to generate credentials with a limited perform specific actions in AWS, minimizing the risk of
lifespan based on predefined roles, which determines the excessive permissions and improving security by adhering
access level and permissions required to perform specific to the principle of least privilege [34].
automation tasks. This ensures that credentials can only
Figure 3: Dynamic Secret Management Mechanism: AWS Example
When a task is initiated in Rundeck, it requests temporary credentials, offering policy-based access management.
credentials from Vault. After authenticating the request using Integration of Vault with automation platforms like
AppRole, Vault issues these credentials, which are then used Rundeck and Ansible allows the automation of cloud
by Ansible playbooks for secure interaction with AWS resource provisioning while maintaining information
services. Once the task is completed or the set time expires, confidentiality and reducing the risk of human error. The
these credentials are automatically revoked, significantly use of dynamic creation of temporary credentials enhances
reducing the risk of unauthorized access and misuse of security and compliance, adhering to the principle of least
resources. This dynamic credential management approach privilege.
eliminates the need for long-term AWS keys, simplifies the Comparing different secret management platforms,
credential rotation and auditing processes, and greatly such as AWS KMS, Azure Key Vault, and Google Cloud
enhances security and efficiency in cloud environments [35]. KMS highlights their importance in securing cloud
Thus, using HashiCorp Vault for automating cloud environments but also underscores the need for specialized
resource management not only centralizes and secures solutions that allow effective integration with existing cloud
credentials but also significantly improves security by infrastructures. Vault offers a universal approach,
automating authentication and access management combining advanced cryptographic methods, centralized
processes. This reduces the risk of human error and management, and dynamic credential management, making
enhances the effectiveness of automation tasks in cloud it a crucial tool for protecting confidential information.
environments [35]. Thus, using HashiCorp Vault as a universal secret
management platform is an optimal solution for
5. Conclusions organizations seeking to enhance the security of their cloud
environments, ensure regulatory compliance, and automate
In today’s era of increasing cloud technology usage, resource management. It not only minimizes risks
managing secrets and ensuring data security have become associated with unauthorized access and data misuse but
critical tasks for organizations. Given the numerous also significantly improves the efficiency of processes in
challenges, such as the fragmentation of credentials, rising modern dynamic infrastructures.
internal and external threats, the complexity of managing
the lifecycle of secrets, and the need to comply with
regulatory requirements, employing a universal secret
References
management platform is essential. [1] R. Salecha, Security and Secrets Management. (2022).
The research indicates that HashiCorp Vault is an 10.1007/978-1-4842-8673-9_9.
effective solution for centralized secret management in [2] P. Skladannyi, et al., Improving the Security Policy of
cloud environments. Vault provides secure storage, the Distance Learning System based on the Zero Trust
encryption, dynamic creation, and automatic revocation of Concept, in: Cybersecurity Providing in Information
79
� and Telecommunication Systems, vol. 3421 (2023) 97– [16] T. Moore, et al., Encryption Methods and Key
106. Management Services for Secure Cloud Computing: A
[3] P. Somasundaram, Unified Secret Management Across Review (2023).
Cloud Platforms: A Strategy for Secure Credential [17] P. Raj, Continuous Integration for New Service
Storage and Access, Int. J. Comput. Eng. Technol. 15 Deployment and Service Validation Script for Vault,
(2024) 5–12. Int. J. Sci. Res. Eng. Manag. 08 (2024). doi:
[4] O. Vakhula, I. Opirskyy, O. Mykhaylova, Research on 10.55041/IJSREM35565.
Security Challenges in Cloud Environments and [18] A. Satapathi, A. Mishra, Storing Function Secrets in
Solutions based on the “Security-as-Code” Approach, Azure Key Vault, Hands-on Azure Functions with C#.
Cybersecurity Providing in Information and Apress (2021) 263–287. doi: 10.1007/978-1-4842-7122-
Telecommunication Systems II, vol. 3550 (2023) 55–69. 3_11.
[5] S. Shevchenko, et al., Information Security Risk [19] P. Borra, Impact and Innovations of Azure IoT:
Management using Cognitive Modeling, in: Current Applications, Services, and Future Directions,
Workshop on Cybersecurity Providing in Information Int. J. Recent Technol. Eng. 13 (2024) 21–26. doi:
and Telecommunication Systems II, CPITS-II, vol. 10.35940/ijrte.B8111.13020724.
3550 (2023) 297–305. [20] R. Sajid, et al., Interpretation on the Google Cloud
[6] V. Bysani, Automation in Cloud Infrastructure Platform and Its Wide Cloud Services. International
Management: Enhancing Efficiency and Reliability, Journal of Security and Privacy in Pervasive
Int. J. Sci. Res. Eng. Manag. 08 (2024). doi: Computing, 14 (2022) 1–7. doi: 10.4018/IJSPPC.313586.
10.55041/IJSREM35750. [21] P. Munyao, R. Chikoore, Impact of Cloud Solutions in
[7] P. Raj, Continuous Integration for New Service Research Data Management, Scalable Computing and
Deployment and Service Validation Script for Vault, Collaborative Projects (2024). doi:
Int. J. Sci. Res. Eng. Manag. (2024). doi: 10.13140/RG.2.2.22876.40322.
10.55041/IJSREM35565. [22] A. Kamaraju, A. Ali, R. Deepak, Best Practices for
[8] R. Banakh, A. Piskozub, Y. Stefinko, External Cloud Data Protection and Key Management, Future
Elements of Honeypot for Wireless Network, in: 13th Technologies Conference (FTC) 3 (2022). doi:
International Conference on Modern Problems of 10.1007/978-3-030-89912-7_10.
Radio Engineering, Telecommunications and [23] N. Golovacheva, M. Romanov, Study of Security
Computer Science (TCSET) (2016) 480–482. doi: Mechanisms Cloud Services, NBI Technologies (2023)
10.1109/TCSET.2016.7452093. 25–31. doi: 10.15688/NBIT.jvolsu.2023.3.3.
[9] R. Kyrychok, et al., Development of a Method for [24] S. Sarkar, S. Roychowdhury, Authentication
Checking Vulnerabilities of a Corporate Network Authorization and Security Issues in Cloud
using Bernstein Transformations, Eastern-European Computing, Int. J. Res. Appl. Sci. Eng. Technol. 11
Journal of Enterprise Technologies, vol. 1, no. 9(115) (2023) 1275–1283. doi: 10.22214/ijraset.2023.56670.
(2022) 93–101. doi: 10.15587/1729-4061.2022.253530. [25] P. Somasundaram, Unified Secret Management Across
[10] V. Astapenya, et al., Conflict Model of Radio Cloud Platforms: A Strategy for Secure Credential
Engineering Systems under the Threat of Electronic Storage and Access, Int. J. Comput. Eng. Technol. 15
Warfare, in: Workshop on Cybersecurity Providing in (2024) 5–12.
Information and Telecommunication Systems, CPITS, [26] S. Ibn El Ahrache, H. Badir, Enhancing Cloud Data
vol. 3654 (2024) 290–300. Security Through Long-Term Secret Sharing Schemes
[11] J. Chandra, Authentication and Authorization (2024). 10.21203/rs.3.rs-4770590/v1.
Mechanism for Cloud Security, Int. J. Eng. Adv. [27] J. Moazzam, Cloud Computing Security: AWS Data
Technol. 8 (2019). 10.35940/ijeat.F8473.088619. Security Credentials, Studies in Indian Place Names
[12] A. S. George, S. Fernando, Securing Cloud Application (UGC Care Journal) 40 (2020).
Infrastructure: Understanding the Penetration Testing [28] P. Somasundaram, Unified Secret Management Across
Challenges of IaaS, PaaS, and SaaS Environments. Cloud Platforms: A Strategy for Secure Credential
Partners Universal Int. Res. J. 02 (2023) 24–34. doi: Storage and Access, Int. J. Comput. Eng. Technol. 15
10.5281/zenodo.7723187. (2024) 5–12.
[13] P. Kankwende, Cybersecurity_in_the Modern Age [29] A. Horpenyuk, I. Opirskyy, P. Vorobets, Analysis of
Protecting Digital Assets, J. Sci. Eng. Res. 15 (2024). Problems and Prospects of Implementation of Post-
[14] S. T. Makani, Deep Dive into Terraform for Efficient Quantum Cryptographic Algorithms, in: Classic,
Management of AWS Cloud Infrastructure and Quantum, and Post-Quantum Cryptography, vol. 3504
Serverless Deployment, Int. J. Comput Tech. 8(6) 39–49.
(2021). [30] S. Nashkova, Addressing Criminal Liability for Misuse
[15] J. Almeida, et al., A Machine-Checked Proof of of Trade Secrets Under Australian Law: Is the Current
Security for AWS Key Management Service, CCS '19: Legal Framework Adequate to Protect the Interests of
Proceedings of the 2019 ACM SIGSAC Conference on Owners of Trade Secrets?, IIC – International Review
Computer and Communications Security (2019) 63– of Intellectual Property and Competition Law, 55
78. doi: 10.1145/3319535.3354228. (2024) 1281–1315. doi: 10.1007/s40319-024-01490-4.
[31] Y. Martseniuk, et al., Automated Conformity
Verification Concept for Cloud Security, in:
80
� Cybersecurity Providing in Information and
Telecommunication, vol. 3654 (2024) 25–37.
[32] J. Chandra, S. K. Pasupuleti, C. Narasimham,
Authentication, Authorization and Auditing in Need
of Internet of Things and Industry 4.0 for the Cloud
Data Security, Authentication and Access Control for
Secure Communication in Mobile Cloud Computing
(2020) 70–81.
[33] V. Susukailo, I. Opirsky, O. Yaremko, Methodology of
ISMS Establishment Against Modern Cybersecurity
Threats, Future Intent-Based Networking, LNEE 831
(2022). doi: 10.1007/978-3-030-92435-5_15.
[34] R. Sajjan, V. Ghorpade, M. Dhange, Multi-factor
Authentication as a Service for Cloud Data Security,
Int. J. Comput. Sci. Eng. 4(4) (2016).
[35] K. R. Muppa, Advancing Cloud Security with AI-
Enhanced AWS Identity and Access Management, Int.
Res. J. Eng. Appl. Sci. (2022) 25–28. doi:
10.55083/irjeas.2022.v10i01005.
81
�