elasticmachine
commented
10 months ago Pinging @elastic/fleet (Team:Fleet)
Closed slawomirbabicz closed 10 months ago
elasticmachine
commented
10 months ago Pinging @elastic/fleet (Team:Fleet)
kpollich
commented
10 months ago Good new here: secrets support exactly as described landed in Kibana 8.10: https://github.com/elastic/kibana/issues/154715.
We're now actively driving adoption of secrets across as many integrations as possible in https://github.com/elastic/integrations/issues/8610
Describe the feature:
Current Situation: Fleet Integrations in Elastic Kibana are an essential component, widely used for configuring various services. During configuration, these integrations often require input of sensitive information, such as usernames, integration keys, API keys, secret keys, and URL endpoints. This sensitive data is crucial for the operational integrity and security of the services being integrated.
Issue Identified: Currently, any user with elevated permissions within Kibana's GUI has the ability to access the Fleet configuration and view these sensitive details. This accessibility poses a significant security risk, as it allows individuals with access to easily retrieve and potentially misuse these sensitive credentials, leading to unauthorized use of services, data breaches, or other security incidents.
Proposed Feature: To address this security vulnerability, I propose the introduction of a "one-way secret addition" feature for Fleet Integrations within Kibana. This feature would be akin to the mechanism used in GitHub Actions for handling secrets, where the sensitive data can be added or updated but not viewed or edited post-submission.
Describe a specific use case for the feature:
Benefits:
- Enhanced Security: By preventing the visibility of sensitive data post-entry, the risk of unauthorized access and misuse of credentials is significantly reduced. - Audit and Control: This feature would also aid in better audit and control mechanisms, as any changes or additions to sensitive data would require deliberate actions, thereby reducing inadvertent exposure. - Alignment with Best Practices: Implementing such a feature aligns Kibana with industry best practices for handling sensitive information, thus bolstering user trust and compliance with various data protection standards. Impact on Users: This enhancement will benefit all users who manage and configure Fleet Integrations, especially in environments where multiple users have access to Kibana's configuration settings. It will ensure that sensitive data is handled more securely, ultimately protecting the integrity of the systems and data that Kibana helps manage.
Conclusion: I firmly believe that introducing a one-way secret addition feature for Fleet Integrations in Kibana would be a significant step forward in ensuring the security and integrity of sensitive data. I look forward to seeing this enhancement in future releases and am available for any further discussion or clarification needed on this proposal.
Thank you for considering this request.