Aegis serves as a thin, audited proxy connecting applications to various secrets infrastructures. It enables teams to self-manage API keys and deliver tailored access to secrets across platforms like CyberArk and HashiCorp Vault. With comprehensive logging and structured visibility, teams can scale securely without burdening security operations.
Aegis
Overview
Aegis is a vendor-agnostic secrets broker and a privileged access management (PAM) gateway designed to streamline the management and access of secrets across various platforms, such as CyberArk, HashiCorp Vault, AWS Secrets Manager, and Conjur. This solution enables teams to authenticate through scoped API keys, ensuring they retrieve only the secrets they are authorized to access. Every action taken within Aegis is logged comprehensively, attributed to specific teams, and made queryable, enhancing transparency and accountability.
Key Features
- Scoped API Keys: Aegis assigns one API key per team-registry pair, ensuring that both Team A and Team B can access shared resources using distinct keys. This minimizes the scope of damage in case of a key compromise.
- Immutable Audit Logs: All actions, from fetching to rotating secrets, are recorded in an immutable log featuring detailed before/after diffs and complete attribution, providing insight into secret management practices.
- Self-Service Capabilities: Teams have the autonomy to manage their webhook subscriptions, notification settings, and CI/CD integrations independently of the security team, reducing operational overhead and enhancing efficiency.
- Scalability: Designed to support over 100 teams and 40,000 secrets under a single security team, Aegis simplifies access management and promotes operational security.
Usage
Aegis acts as a bridge between applications and secret storage solutions, enabling secure and efficient secret management. Here's a basic flow of how it works:
Your Application Aegis Upstream Vault
│ │ │
│ GET /secrets │ │
│ X-API-Key: sk_... │ │
│ X-Change-Number: CHG123 │ │
├───────────────────────────►│ │
│ │ 1. Hash key → lookup │
│ │ team + registry │
│ │ │
│ │ 2. Enforce policy: │
│ │ change number, IP, │
│ │ time window, rate │
│ │ │
│ │ 3. Fetch secrets per │
│ │ vendor (CyberArk, │
│ ├───────────────────────────►│
│ │◄───────────────────────────┤
│ │ Vault, AWS, Conjur) │
│ │ │
│ │ 4. Write audit log │
│ │ (team, registry, │
│ │ objects, IP, CHG#) │
│ │ │
│ │ 5. Emit SIEM event │
│ │ (stdout/Splunk/S3/DD) │
│ │ │
│ { secret_name: value } │ │
│◄───────────────────────────│ │
Configuration and Deployment
To get started with Aegis, the following prerequisites must be met:
- Docker and Docker Compose: Ensure Docker version 24 and Docker Compose v2 or higher are installed.
- Upstream Vaults: Have one or more supported upstream vaults ready for configuration.
- Credentials Configuration: Adjust the
auth.jsonfile to include credentials for the vaults being utilized.
Once set up, initiate the Aegis service and configure your secrets and registries through the intuitive admin panel.
Development Status
Currently, Aegis is under active development, offering stable functionality for local testing. Ongoing production hardening is in progress. Exercise caution when deploying on public-facing nodes.
Conclusion
Aegis effectively addresses the problem of secrets sprawl in organizations, providing a single endpoint for secret management while enhancing security and operational efficiency. By centralizing and streamlining access control, Aegis empowers teams to manage their secrets without compromising security or requiring extensive operational oversight.
No comments yet.
Sign in to be the first to comment.