Privileged access: the master key

\\fileshare\deploy\rotate-vault.ps1 · 02:14

# nightly: push config to the deploy targets $targets = Get-Content ".\hosts.txt" $vaultUser = "vault-admin" $vaultPass = "T#mp-D3pl0y!2o22-master" Connect-Vault -User $vaultUser -Secret $vaultPass

Two plaintext lines on an open share: the master key to the vault itself.

Approve sign-in?

Approve sign-in? Approve

push · push · push

Domain admin Cloud console Source code Backups The vault

Reported One weary Approve let them in, and a hardcoded credential handed over every other key in the building.

Privileged Access · Secrets & PAM hygiene

The master key in a script

An MFA-fatigue tap opened the door; then a privileged credential hardcoded in plaintext handed over the password vault itself.

PAM / secrets hygiene NIST IA-5 · IA-2(1) Uber 2022

Scenes

Part 1 · Why You Hold the Keys

Part 2 · Separate, Least, Temporary

Part 3 · Guard Every Door

Part 4 · Secrets, Machines & the Build

Part 5 · See It, Respond, Prove It