Back to Pulumi

Pulumi Security

Pulumi Security Overview

Pulumi provides multiple security mechanisms including encrypted configuration, policy as code, secrets management, and integration with cloud-native security tools. The Pulumi Cloud platform handles state encryption and access control.

Configuration Encryption

Pulumi automatically encrypts sensitive configuration values when using pulumi config set --secret. Stack references can securely pass outputs between stacks without exposing values.

Pulumi ESC

Pulumi ESC provides centralized secrets management with support for dynamic secret providers like AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault. It enables fine-grained access control and secret rotation without application changes.

Policy as Code (CrossGuard)

CrossGuard enforces security policies across all deployments. Teams can create policies that mandate encryption, restrict public exposure, enforce network segmentation, and validate compliance with organizational security standards.

Related Links