Securely using Synthetic test scripts

When you adopt Synthetic monitoring, it is essential to consider the potential security risks and take the appropriate steps to protect your systems and prevent unauthorized access. Consider the following guidelines to optimize the secure usage of scripted Synthetic tests.

  • Ensure proper user permissions: Use Role Based Access Control to make sure that the users with write access on Synthetic test definitions have only the necessary access. See Managing access with user permissions.
  • Restrict the usage of Synthetic credentials: When you create the credentials that you will provide to Instana to run your Synthetic tests, make sure that the credentials are used only to run the Synthetic test. See Creating dedicated credentials for Synthetic test scripts.

Managing access with user permissions

Before you grant permissions to create, update, or delete Synthetic tests, you must evaluate how granting these permissions might impact your operations.

Deciding which permissions to grant on Synthetic tests.

Selectively grant access to users for the various capabilities of Synthetic monitoring, see Setting permissions for Synthetic monitoring. The permissions to access the various capabilities on the Instana UI and API are disabled by default for most users. Keep security considerations in mind when deciding which permissions to grant to each group before you add users to groups.

  • Configuration of Synthetic tests: The users in this group, with this permission and the Owner role, can create, modify, and delete Synthetic tests.

    • In Instana 269 and later, only the users who are authenticated with two-factor authentication or by using an Identity Provider (IdP) can perform write operations for Synthetic tests. This authentication provides an extra layer of security to make sure that only the verified users can create or modify tests that can run through Synthetic PoPs.
  • Configuration of Synthetic credentials: The users with this permission can create and delete the credentials that are used when running Synthetic tests.

  • Access to use Synthetic credentials: The users with this permission can run Synthetic tests that require user credentials to run Synthetic test script.

  • View Synthetic test results: The users with this permission can view the details of the Synthetic tests that were run, including any logs or screenshots that were taken while running the Synthetic tests.

Why you must selectively grant permissions to Synthetic monitoring?

By using Synthetic monitoring, access to various capabilities from both the Instana UI and API is limited to the set of users with that access.

By using the permissions, you control the access of each user and ensure separate access scopes.

Creating dedicated credentials for Synthetic test scripts

Before you create a credential or provide that credential in your Synthetic test running on Instana, you must evaluate the scope of access.

Defining the scope of access for a Synthetic credential:

In your credentials manager or by using your credentials process, create a dedicated credential with only limited access and scope to run the Synthetic test. Use the relevant operating system, application, or credential manager capabilities to create the credential and limit its scope. The Synthetic PoP requires that each Synthetic test script that requires credentials to run provides the credentials to Instana. You manage the scope and permission of the credential when you create it. Instana is only a user of the credential. When you create credentials, ensure that it is used for accessing only those application or website actions that are required for the Synthetic PoP to run the Synthetic test.

  • Access to only those application or website actions that are required for the Synthetic PoP to run the Synthetic test.

Why must you define the scope of access for a Synthetic credential?

Expected use of the Synthetic test scripts includes script statements that can be run by any Instana user with the appropriate permission. Creating a dedicated credential with limited access for these script statements prevents the statements that are invoked from Instana from accessing unauthorized content.