Skip to main content

Secrets Management

In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:

AWS Secrets Manager
AWS SSM Parameter Store
Google Cloud Secrets Manager
HashiCorp Vault
macOS Keychain
Windows credential store
SystemD Secret Service
Encrypted File

Use your desired Vault and Mondoo together to scan all your assets

Set a Vault configuration

Command Line
mondoo vault set aws --type awssecretsmanager
mondoo vault set hashivault --type hashicorp-vault --option url=http://127.0.0.1:8200 --option token=yourtoken

Add the Vault Secret Query to your configuration file (mondoo.yml)

mondoo.yml
vault:
  name: aws
  query: |
    if (props.labels['Name'] == 'ssh') {
    return { 
    user: 'ec2-user', type:'private_key', secret_id: 'arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:vjtest-m7Qfsc'
    }}

Reference the Vault when running a scan

Command Line
mondoo scan aws --vault aws

Use your desired Vault and Mondoo together to scan all your assets