Ensure that you are always following the recommended security practices for both SaltStack Config and Salt, which powers SaltStack Config.

Salt security

Consult these guides to ensure your environment is following best practices when implementing Salt in your infrastructure:

Automatic logout if inactive

You can set automatic logout as low as 1 minute, and up to 60 minutes. This is set to 30 minutes by default. For more on modifying this and other preferences, see The SaltStack Config user interface.

Permissions

Make sure to limit access to the following tasks. For more on defining permissions, see Roles and permissions.

Job create and edit

Limit user access to creating and editing jobs. These privileges enable a user to run any command in the system. Together with target create and edit permission, they enable a user to run any command on any minion.

Target create and edit

Limit user access to creating and editing targets. These privileges, along with Job create and edit permission, enable a user to run available jobs on any minion in the system.

Role create and edit

Limit user access to creating and editing roles. These privileges enable a user to assign themselves any privilege in the system.

Encrypted credentials

API (RaaS) Access Credentials

Connect Salt masters to the API (RaaS) through public key authentication (default), rather than through username authentication.

Database credentials

Store database credentials for both PostgreSQL and Redis in an encrypted file, rather than in plain text.

For more on credential storage, see Securing credentials in your configuration.