Log shipping access/API detail visible

Logs and log shipping may handle sensitive data in some cases: literal sensitive data (that shouldn't be there), or data that indicates system operation, architecture, topology and more. In addition, for regulation that demand encryption in transit and in store, this includes securing those systems.

Since these systems require integrations that have multiple building blocks, it is common to require the use of APIs, tokens, and access detail that are used for securely integrating these blocks.

You should hold these details in a secure and safe place in order to not risk your log shipping pipeline and log aggregation systems.

Problem

Log shipping integration access detail or log aggregation system access details are hardcoded or exposed in configuration files, infrastructure code, or business services.

Fix

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See