Genesis often manages BOSH or platform deployments. Hardening must cover operator workstation trust, secret stores, and controlled release pipelines.
- Restrict who can run production Genesis commands.
- Use hardened admin workstations with full disk encryption.
- Store credentials in dedicated secret backends, not local files.
¶ Secrets and Vault Integration
- Keep deployment secrets in Vault or equivalent.
- Enforce short-lived tokens and periodic rotation.
- Audit secret reads/writes by operator identity.
- Keep dev/stage/prod deployment manifests and credentials separated.
- Enforce branch protections and required reviews for prod changes.
- Use signed release artifacts where possible.
¶ Pipeline and Access Controls
- Use RBAC for pipeline runners and service accounts.
- Prevent direct mutation outside approved CI/CD workflows.
- Require MFA for privileged console access.
¶ Observability and Recovery
- Log all deploy and teardown actions.
- Keep rollback procedures documented and tested.
- Validate backup/restore for stateful platform components.