Cloud Posture Management potentially stores unnecessary secrets

[romulets]

Describe the bug: I noticed that we store all the values filled in the Cloud Security Posture form, even the ones not used. For example I added a random secret access key for cspm aws and kspm eks. This is stored and displayed:

[...]
 "kspm-cloudbeat/cis_eks": {
      "enabled": true,
      "streams": {
        "cloud_security_posture.findings": {
          "enabled": true,
          "vars": {
            "secret_access_key": "1231231231231",
            "aws.credentials.type": "direct_access_keys"
          }
        }
      }
    },
    "cspm-cloudbeat/cis_aws": {
      "enabled": false,
      "streams": {
        "cloud_security_posture.findings": {
          "enabled": false,
          "vars": {
            "secret_access_key": "231234234234",
            "aws.credentials.type": "direct_access_keys",
            "aws.account_type": "organization-account"
          }
        }
      }
    },
[...]

It looks a bit unnecessary to potentially store non used secrets. More on the premise of "if you don't need it don't keep it". Personally I think we should send and store only the enabled integration.

Kibana/Elasticsearch Stack version: 8.12-SNAPSHOT

Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Cloud Security Posture Management

Steps to reproduce:

• Add Security Posture Management integration
• Select a integration (e.g CSPM AWS), fill in the values
• Select another integration (e.g KSPM EKS), fill the values
  • You can see both secrets in the Preview API Request
• Click save
  • You can see both secrets in the Preview API Request (so also stored)

Current behavior: All the values filled in any integration are sent and stored, regardless of if the integration is enabled or not.

Expected behavior: Send and store data regarding only enabled integrations, therefore leaving out any disabled integration data.

Screenshots (if relevant):

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

[maxcold]

We have a clean up task implemented as a fleet onSave hook. The task cleans up the variables that are not required for a given credentials.type. But this happens only within the scope of one input, the one that has enabled: true. As we reuse the vars between different inputs, eg. secret_access_key between cspm_cloudbeat/cis_aws and kspm_cloudbeat/cis_eks we also need to clean up the inputs which are not enabled