Secrets are a subset of configuration data which are considered sensitive, and thus require special handling. Secrets are typically credentials such as passwords, tokens, and keys used to authenticate access to accounts, systems, and other sensitive digital assets.
Secrets are stored in your organizations dedicated Vault that is created when you first setup your CloudTruth organization. Vault is managed as a service by CloudTruth and only you will have access to the contents of your isolated Vault.
All configuration data is encrypted at rest. This means that configuration data is protected while stored within CloudTruth, separated from the keys used to encrypt the data.
Configuration data is also encrypted in transit. This means that all data moving in and out of CloudTruth via the API and CLI is encrypted before being sent, authenticated at endpoints, and decrypted after being received.
In addition to using encryption mechanisms for protecting data, CloudTruth employs the principle of least privilege. This means that users are granted the minimum level of access required to perform a specific task. When integrating with external configuration sources, such as AWS S3 or SSM Parameter store, the minimum level of access is requested.
In addition to the standard mechanisms used to protect all configuration data, CloudTruth provides the ability to restrict access to especially sensitive data.
When parameters are created, they can optionally be marked as 'secret'.
Values for Parameters created with the 'secret' option will not be displayed by default in the parameter list or details page.
Using this option prevents the unnecessary display of sensitive data when performing routine configuration tasks.