Secrets are a subset of configuration data which are considered sensitive, and thus require special handling. Secrets are typically credentials such as passwords, tokens, and keys used to authenticate access to accounts, systems, and other sensitive digital assets.
In general, secrets are treated as standard configuration data within CloudTruth, for which there is a number of mechanisms used to restrict access
All configuration data is encrypted at rest. This means that configuration data is protected while stored within CloudTruth, separated from the keys used to encrypt the data.
Configuration data is also encrypted in transit. This means that all data moving in and out of CloudTruth via the API and CLI is encrypted before being sent, authenticated at endpoints, and decrypted after being received.
In addition to using encryption mechanisms for protecting data, CloudTruth employs the principle of least privilege. This means that users are granted the minimum level of access required to perform a specific task. When integrating with external configuration sources, such as AWS S3 or SSM Parameter store, the minimum level of access is requested. **
In addition to the standard mechanisms used to protect all configuration data, CloudTruth provides the ability to restrict access to especially sensitive data.
When parameters are created, they can optionally be marked as 'secret'.
Values for Parameters created with the 'secret' option will not be displayed by default in the parameter list or details page.
Using this option prevents the unnecessary display of sensitive data when performing routine configuration tasks.
Organizations using CloudTruth are encouraged to establish standard operating procedures for managing and updating and configuration data. A well established process should include the criteria required to implement changes, as well as the roles of individuals required to make and approve changes, In some cases, updating an individual parameter may require other configuration setting to change. These procedures provide another layer of protection, especially when dealing with secrets.
In addition to the mechanisms currently available for protecting sensitive configuration data within CloudTruth is a set of capabilities for enhanced secrets management. These capabilities are planned for future handling of secrets, in compliance with industry standards, such as SOC 2.
Option 1 - Customer Keys (Generic)
The use of customer keys allow admins to specify and manage keys for encrypting configuration data for their organization. Encryption of configuration data with customer keys adds a layer of separation which prevents anyone from within the CloudTruth organization from accessing unencrypted customer data. Customer keys are entirely managed by customers of CloudTruth, and thus not visible or part of the CloudTruth configuration service.
Option 2 - Key Management Systems (KMS)
Another option for the use of customer keys includes the use of external key management systems, such as AWS KWS. External key management systems act as a courier for secrets, and provide built in services, such as automatic key generation and rotation. As with generic customer keys, individuals from within the CloudTruth organization will not have access to unencrypted customer data.
Option 3 - Dedicated Secrets Management (HashiCorp Vault)
Certain organizations may require a dedicated secrets management tool, such as HashiCorp vault for storing their sensitive configuration data. In this instance, CloudTruth may provide an option to leverage a hosted instance, embedded within the CloudTruth service and available to store secrets in a seamless and secure manner.