Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
- Target user
- Platform and service-mesh engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform security engineer hardening a HashiCorp Consul cluster so control-plane and gossip traffic is encrypted and every token follows least privilege.
I will provide:
- The server and client agent config (`acl`, `encrypt`, `tls`, `ports`, `retry_join`) and the Consul version
- The current ACL posture (default policy, whether ACLs are enabled, bootstrap/management token usage) and how service and agent tokens are issued
- The services registered, whether Connect/service mesh is in use, and which agents/services must keep working.
Do the following:
1. **Assess encryption** — confirm gossip encryption (`encrypt`) is enabled with a strong key, and that RPC/HTTP traffic uses TLS with `verify_incoming`/`verify_outgoing`/`verify_server_hostname` set appropriately; flag any plaintext gossip or RPC.
2. **Review the ACL system** — verify ACLs are enabled with `default_policy = "deny"`, that the bootstrap/management token is not used by agents or apps, and that `enable_token_persistence` and token TTLs are sane.
3. **Tighten tokens to least privilege** — for each agent and service, scope policies to the exact `node`, `service`, `key` (KV), and `session` rules needed; flag global-management or broad `service_prefix "" { policy = "write" }` grants.
4. **Harden the API and UI exposure** — confirm the HTTP API/UI is not exposed unauthenticated on a public interface, and that the DNS interface does not leak service data beyond intent.
5. **Check mesh identity** — if Connect is enabled, review intentions (default deny), CA configuration, and that service-to-service auth is enforced rather than allow-all.
6. **Verify** — provide the CLI/API commands to read the ACL default policy, list tokens/policies, and test a scoped token against an allowed and a denied operation.
Output as: a findings table (issue, risk, fix), a corrected agent config block (encrypt/TLS/ACL), and a per-service policy definition scoped to real usage. Defensive hardening review only — no exploitation tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Kafka mTLS & ACL Authorization Hardening Review Prompt
Review an Apache Kafka cluster for missing encryption-in-transit, weak client authentication, and over-broad ACLs, and produce a least-privilege listener, mTLS, and topic authorization configuration.
-
Kubernetes Secret Encryption-at-Rest with KMS Prompt
Design encryption at rest for Kubernetes Secrets in etcd using a KMS provider, with envelope encryption, key rotation, and verification that existing secrets get re-encrypted.
-
Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.