Skip to main content

Secrets Management

In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:

AWS Secrets Manager
AWS SSM Parameter Store
GCP Secrets Manager
HashiCorp Vault
macOS/OSX Keychain
Windows credential store
SystemD Secret Service
Encrypted File

Use your desired Vault and Mondoo together to scan all your assets

Set a Vault configuration

Command Line
mondoo vault set aws --type awssecretsmanager
mondoo vault set hashivault --type hashicorp-vault --option url=http://127.0.0.1:8200 --option token=yourtoken

Add the Vault Secret Query to your configuration file (mondoo.yml)

mondoo.yml
vault:
  name: aws
  query: |
    if (props.labels['Name'] == 'ssh') {
    return { 
    user: 'ec2-user', type:'private_key', secret_id: 'arn:aws:secretsmanager:REGION:ACCOUNTID:secret:vjtest-m7Qfsc'
    }}

Reference the Vault when running a scan

Command Line

mondoo scan -t aws:// --vault aws

Use your desired Vault and Mondoo together to scan all your assets