S4. Use secrets management

Secrets are information such as passwords, private keys, access tokens and the like, that are needed in the configuration of an application.

Traditionally, these items have been stored on the filesystem of a server that hosts the application, and protected with fileystem permissions to help prevent exposure (despite that such protections afford no protection in the event of a root compromise).

In the context of cloud computing, secrets may be needed by components that are not servers; e.g. in containers, or in serverless microservices. Moreover, automating the secure distribution of secrets to virtual servers that may be discarded and replaced at any time (see the relevant practice) is a complex undertaking.

Cloud platforms typically provide a secrets management capability as a service at little or no additional cost. These services are often fully integrated with other platform services (e.g. virtual servers, container orchestration, lambda functions) so as to minimize the administrative effort required to securely provide secrets to application components requiring them.

Secrets management provided by the cloud platform is the preferred approach where available.