Secrets Management

Working with secret configuration data within CloudTruth.

What are Secrets? 🔒

Secrets are a subset of configuration data which are considered sensitive, and thus require special handling. Secrets are typically credentials such as passwords, tokens, and keys used to authenticate access to accounts, systems, and other sensitive digital assets.

How does CloudTruth manage secrets?

Secrets are stored in your organizations dedicated Vault that is created when you first setup your CloudTruth organization. Vault is managed as a service by CloudTruth and only you will have access to the contents of your isolated Vault.

Data encrypted at Rest

All configuration data is encrypted at rest. This means that configuration data is protected while stored within CloudTruth, separated from the keys used to encrypt the data.

Data encrypted in Transit

Configuration data is also encrypted in transit. This means that all data moving in and out of CloudTruth via the API and CLI is encrypted before being sent, authenticated at endpoints, and decrypted after being received.

Principle of least privilege

In addition to using encryption mechanisms for protecting data, CloudTruth employs the principle of least privilege. This means that users are granted the minimum level of access required to perform a specific task. When integrating with external configuration sources, such as AWS S3 or SSM Parameter store, the minimum level of access is requested.

Restricted access for sensitive data

In addition to the standard mechanisms used to protect all configuration data, CloudTruth provides the ability to restrict access to especially sensitive data.

When parameters are created, they can optionally be marked as 'secret'.

Values for Parameters created with the 'secret' option will not be displayed by default in the parameter list or details page.

Using this option prevents the unnecessary display of sensitive data when performing routine configuration tasks.