Secrets Management
In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:
- AWS Secrets Manager
- AWS SSM Parameter Store
- GCP Secrets Manager
- HashiCorp Vault
- macOS/OSX Keychain
- Windows credential store
- SystemD Secret Service
- Encrypted File
Use your desired Vault and Mondoo together to scan all your assets
Set a Vault configuration
Command Line
mondoo vault set aws --type awssecretsmanager
mondoo vault set hashivault --type hashicorp-vault --option url=http://127.0.0.1:8200 --option token=yourtoken
Add the Vault Secret Query to your configuration file (mondoo.yml)
mondoo.yml
vault:
name: aws
query: |
if (props.labels['Name'] == 'ssh') {
return {
user: 'ec2-user', type:'private_key', secret_id: 'arn:aws:secretsmanager:REGION:ACCOUNTID:secret:vjtest-m7Qfsc'
}}
Reference the Vault when running a scan
Command Line
mondoo scan -t aws:// --vault aws