Hero Light Hero Dark
The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Product Overview

External Secrets Inc. Audit & Compliance is a product suite that allows you to monitor and audit your secrets management infrastructure. It includes:
  • Audit Listener
  • Audit Compliance via Policies
  • Audit Dashboard
A Reference Architecture is described in the picture below: Architecture Light Architecture Dark

Audit Dashboard

Audit Dashboard is the main dashboard for ESI Audit & Compliance. It is accessible globally within https://app.externalsecrets.com and presents information regarding Secrets within the configured providers:
  • When was the last time the secret was updated
  • When was the last time the secret was accessed (and by whom)
  • Rotation and Access Logs
  • Which secrets duplicates (totally or partially the accessed secret)
  • Which secrets are non compliant to policies (see more in the next section)
  • Policy Compliance/Non-Compliance logs

Audit Policies

As part of ESI Audit & Compliance, you can create policies to monitor secrets posture across your organization. Policies are supported on OPA/Rego language, and are possible to be evaluated on several conditions:
  • When a secret was accessed
  • When a secret was created
  • When a secret was updated
  • When a secret was deleted
  • When a secret RBAC was created
  • When a secret RBAC was updated
  • When a secret RBAC was deleted
These Events are available for sampling within the Audit Dashboard in order to facilitate Policy Creation/troubleshooting. All of these are calculated real-time by the Audit Listener.

Audit Listener

This is the main component responsible to do the heavy work for audit and compliance. It is responsible to connect to each provider (see providers section to know more about how each provider is connected) and to generate events & policy compliance according to events. It is also responsible to keep track on accessors, duplication, and rotation across configured providers. The Audit Listener is responsible to process events from these providers and calculates results in the fashion of metrics. These results do not contain any sensitive data (only metadata of the results on the activities performed by the listener). These metrics are available directly to the end user (via a prometheus endpoint) and transmitted directly to the audit dashboard.

Next Steps