Secrets manager access logged with audit trail

Why it matters

Without secrets manager audit logs, you cannot answer the most critical post-breach question: which secrets were accessed, by whom, and when? CWE-778 (Insufficient Logging) and OWASP A09 (Security Logging and Monitoring Failures) both identify missing audit trails as a security failure. NIST AU-2 requires that organizations define events to be logged — secrets retrieval is the highest-priority event in that list. PCI-DSS 4.0 Req-10.2 mandates logging all access to audit logs themselves and cardholder data resources. Without these logs, incident response is blind, forensic timelines cannot be established, and compliance cannot be demonstrated.

Remediation

Enable audit logging in your secrets manager and verify that each log entry captures at minimum: timestamp, principal identity, secret identifier, operation, and result code.

AWS Secrets Manager via CloudTrail:

aws cloudtrail create-trail \
  --name secrets-audit-trail \
  --s3-bucket-name your-audit-bucket
aws cloudtrail start-logging --name secrets-audit-trail

HashiCorp Vault — add to vault.hcl:

audit "file" {
  path = "/vault/logs/audit.log"
}

Azure Key Vault: Portal → Key Vault → Diagnostic settings → Add diagnostic setting → enable AuditEvent → send to Log Analytics workspace.

After enabling, verify by retrieving a secret and confirming the retrieval appears in the audit log within 60 seconds.

Detection

ID: environment-security.access-audit.secrets-audit-logged
Severity: info
What to look for: Check the secrets manager's audit/logging settings. In AWS Secrets Manager, look for CloudTrail logging. In Vault, check audit log configuration. In Azure Key Vault, check diagnostic settings. Verify logs include timestamp, principal, action, and result.
Pass criteria: Count all secrets manager audit log configurations. Secrets manager access is logged with full audit trail covering at least 4 fields: timestamp, who accessed it, what was accessed, and what the result was.
Fail criteria: No audit logging configured, or logs are incomplete (missing principal or action).
Skip (N/A) when: The project does not use a secrets manager (uses only .env files — but this should already be a fail on an earlier check).
Detail on fail: "AWS Secrets Manager has no CloudTrail logging enabled" or "Vault audit logs configured but missing action details".
Remediation: Enable audit logging in your secrets manager:

AWS Secrets Manager:
```
aws cloudtrail create-trail --name secrets-audit --s3-bucket-name my-bucket
aws cloudtrail start-logging --trail-name secrets-audit
```
HashiCorp Vault:
```
audit {
  file {
    path = "/vault/logs/audit.log"
  }
}
```
Azure Key Vault: Log in to Azure Portal → Key Vault → Diagnostic settings → Enable logging to Storage or Log Analytics.

Why it matters

Remediation

Enable audit logging in your secrets manager and verify that each log entry captures at minimum: timestamp, principal identity, secret identifier, operation, and result code.

AWS Secrets Manager via CloudTrail:

aws cloudtrail create-trail \
  --name secrets-audit-trail \
  --s3-bucket-name your-audit-bucket
aws cloudtrail start-logging --name secrets-audit-trail

HashiCorp Vault — add to vault.hcl:

audit "file" {
  path = "/vault/logs/audit.log"
}

Azure Key Vault: Portal → Key Vault → Diagnostic settings → Add diagnostic setting → enable AuditEvent → send to Log Analytics workspace.

After enabling, verify by retrieving a secret and confirming the retrieval appears in the audit log within 60 seconds.

Detection

ID: environment-security.access-audit.secrets-audit-logged
Severity: info
What to look for: Check the secrets manager's audit/logging settings. In AWS Secrets Manager, look for CloudTrail logging. In Vault, check audit log configuration. In Azure Key Vault, check diagnostic settings. Verify logs include timestamp, principal, action, and result.
Pass criteria: Count all secrets manager audit log configurations. Secrets manager access is logged with full audit trail covering at least 4 fields: timestamp, who accessed it, what was accessed, and what the result was.
Fail criteria: No audit logging configured, or logs are incomplete (missing principal or action).
Skip (N/A) when: The project does not use a secrets manager (uses only .env files — but this should already be a fail on an earlier check).
Detail on fail: "AWS Secrets Manager has no CloudTrail logging enabled" or "Vault audit logs configured but missing action details".
Remediation: Enable audit logging in your secrets manager:

AWS Secrets Manager:
```
aws cloudtrail create-trail --name secrets-audit --s3-bucket-name my-bucket
aws cloudtrail start-logging --trail-name secrets-audit
```
HashiCorp Vault:
```
audit {
  file {
    path = "/vault/logs/audit.log"
  }
}
```
Azure Key Vault: Log in to Azure Portal → Key Vault → Diagnostic settings → Enable logging to Storage or Log Analytics.

Secrets manager access logged with audit trail

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Secrets manager access logged with audit trail

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History