Sentinel and control groups now available in HCP Vault

We are pleased to announce that HCP Vault Plus now offers the ability to create Sentinel policies and control groups. Customers can now take advantage of these finer-grained governance and compliance controls within their fully managed clusters. This functionality comes in addition to the already available functionality within HCP Vault Plus (multi-region performance replication and paths filters).

Starting with general availability of HCP Vault on Microsoft Azure in February 2023, we have been working to enhance multi-cloud support across all of our cluster types. We continue to work toward bringing more Vault Enterprise Plus capabilities into parity with HCP Vault. Now, HCP Vault Plus, available in both Amazon Web Services (AWS) and Azure, adds support for role governing policies (RGPs), endpoint governing policies (EGPs), and control group authorization.

»Sentinel policies

Previously, HCP Vault clusters supported only access control list (ACL) policies, which are exclusively path-based. While ACL policies offer traditional access control enforcement, HCP Vault users could not extend complex policy requirements back to specific tokens, identities, or endpoints. As a managed service for Vault Enterprise, we want to enable the same fine-grained controls self-managed Vault Enterprise users can take advantage of.

With the addition of Sentinel support on HCP Vault, customers can now create both:

• RGPs: tied to particular tokens, identity entities, or identity groups
• EGPs: tied to specific paths

New and existing HCP Vault Plus clusters now enable enterprises to enforce more flexible and conditional policy logic alongside traditional ACL policies, have multiple enforcement levels for their policies, and embed policies within the data path to actively reject violating behavior instead of just passively detecting it.

For more information about Sentinel and how to get started with it on Vault, see our Sentinel Policies tutorial.

»Control groups

Historically, HCP Vault's policy authorization workflow enforced what paths and operations Vault users or clients could access, but with control groups support, additional authorization factors can be added before certain requests in Vault can be made. With control groups, applications can require dual or human authorization for accessing secrets. Control groups are often used to ensure certain governance and compliance standards are met, and can be embedded into both ACL and Sentinel policies.

All HCP Vault Plus clusters can create and enforce control groups via the UI, CLI, API, and Vault Terraform provider. More information on how to get started using control groups can be found in the Vault Enterprise documentation or in this Vault control groups tutorial.

»Next steps

To get started with Sentinel and control groups on HCP Vault, we recommend creating a HashiCorp Cloud Platform account and trying HCP Vault for yourself. All newly created accounts receive $50 in HCP credits, which can be used for the Plus tier in either AWS or Azure. For more information please visit the HCP product page or sign up through the HCP portal.