IA-05 1126 Sensitive Data in Installer
Introduction
This document describes how Private Mendix Platform fulfills the IA-05 1126 control.
| Control ID | IA-05 1126 |
|---|---|
| Control category | IA - Identification and Authentication |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Mendix - Private Mendix Platform, Customer - Org |
Control
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Supplemental Guidance
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is independent of whether that representation is perhaps an encrypted version of something else (for example, a password).
Responsibility
Mendix Responsibility
Private Mendix Platform installation supports retrieving environment-sensitive data from external secret storage (AWS secrets manager, Key Vault, and so on).
Customer Responsibility
The customer must set up the external secret manager and properly configure the corresponding secrets.
Guidance
Customer Responsibility
Customer must implement an external secrets store to manage sensitive data.
- Set up and configure the secret storage provider, for example, HashiCorp Vault, AWS Secret Manager or Azure Key Vault.
- Install and configure a Kubernetes Secrets Store CSI driver, for example, AWS Secrets Manager CSI Secrets Store. This driver is installed globally for the entire cluster.
- Configure keys at external secret manager.
- When installing Private Mendix Platform with the Installer, select Use Secret Provider for the storage plan and database plan.
Proof and Remarks
Selecting AWS as the secret provider:
Selecting Azure Key Vault as the secret provider:
Selecting HashiCorp Vault as the secret provider:
