Pulumi Security
Pulumi Security Overview
Pulumi provides multiple security mechanisms including encrypted configuration, policy as code, secrets management, and integration with cloud-native security tools. The Pulumi Cloud platform handles state encryption and access control.
Configuration Encryption
Pulumi automatically encrypts sensitive configuration values when using pulumi config set --secret. Stack references can securely pass outputs between stacks without exposing values.
Pulumi ESC
Pulumi ESC provides centralized secrets management with support for dynamic secret providers like AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault. It enables fine-grained access control and secret rotation without application changes.
Policy as Code (CrossGuard)
CrossGuard enforces security policies across all deployments. Teams can create policies that mandate encryption, restrict public exposure, enforce network segmentation, and validate compliance with organizational security standards.