Monitoring and Auditing Secret Access

2 min read Infrastructure & DevOps Security

Monitoring and Auditing Secret Access

Comprehensive monitoring of secret access enables detection of unauthorized access attempts and potential compromises. Kubernetes audit logs capture all secret access through the API server, including who accessed which secrets when. However, these logs require careful configuration to balance security visibility with log volume.

Audit policy configuration for secrets requires special attention to avoid logging secret values while capturing access patterns. The audit policy should log metadata about secret access without including request or response bodies that might contain sensitive data. This balance ensures security visibility without creating new exposure risks.

# Audit policy for secret access monitoring
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Log all secret access at Metadata level
- level: Metadata
  omitStages:
  - RequestReceived
  resources:
  - group: ""
    resources: ["secrets"]
  namespaces: ["production", "staging"]

# Detailed logging for system namespace secrets
- level: RequestResponse
  omitStages:
  - RequestReceived
  resources:
  - group: ""
    resources: ["secrets"]
  namespaces: ["kube-system", "security-system"]
  # Exclude response body to avoid logging secret values
  omitManagedFields: true
  requestBody: true
  responseBody: false

# Log unauthorized access attempts
- level: Request
  omitStages:
  - RequestReceived
  users: ["system:anonymous", "system:unauthenticated"]
  verbs: ["get", "list", "watch"]
  resources:
  - group: ""
    resources: ["secrets"]

---
# Falco rules for runtime secret access monitoring
- rule: Unauthorized Secret Access
  desc: Detect attempts to read secrets from unexpected locations
  condition: >
    container.id != host and
    (open_read and 
     (fd.name glob "/var/run/secrets/kubernetes.io/serviceaccount/*" or
      fd.name glob "/mnt/secrets/*")) and
    not proc.name in (allowed_secret_readers) and
    not container.image.repository in (trusted_images)
  output: >
    Unauthorized secret file access (user=%user.name command=%proc.cmdline 
    file=%fd.name container=%container.name image=%container.image.repository)
  priority: WARNING
  tags: [secrets, filesystem]

Real-time alerting on anomalous secret access patterns enables rapid incident response. Machine learning models can establish baseline access patterns and detect deviations. Simple rules might alert on access outside business hours, from unexpected locations, or exceeding rate thresholds. Integration with SIEM systems enables correlation with other security events.