Secrets Management

Secrets Management

At Praetorian, we prioritize the security of your sensitive information.

Secrets are managed through AWS Systems Manager Parameter Store (for per-tenant integration credentials, per-user material, and encryption keys) and AWS Secrets Manager (for infrastructure secrets such as database proxy credentials). Below is an overview of how we apply robust security practices across both stores.

1. Secure Storage

  • Encryption at Rest: Secrets and secure parameters are encrypted using AWS Key Management Service (KMS), including customer-managed keys (CMKs) where we apply CMK-based controls. This ensures that sensitive material remains protected even when not in use.

  • Versioning: AWS Secrets Manager maintains version control for infrastructure secrets, allowing rollback to previous versions if necessary while maintaining security controls. Parameter Store parameters support revision history where that capability is used for operational rollback.

2. Access Control

  • Fine-Grained Permissions: We use AWS Identity and Access Management (IAM) policies to enforce strict access controls. Only authorized applications and users can access specific secrets and secure parameters.

  • Least Privilege Principle: Access to secrets is granted based on the principle of least privilege, minimizing the risk of unauthorized access.

3. Secure Retrieval

  • AWS SDK Integration: Applications securely retrieve secrets using the AWS SDKs, which leverage secure communication channels (TLS) to prevent interception during transit.

  • Audit Logging: Secrets Manager and Systems Manager API activity can be recorded in AWS CloudTrail. What appears in CloudTrail—including which API calls and regions are captured—depends on your AWS account’s CloudTrail trail configuration (for example, enabled trails, management versus data events, and multi-region settings). We do not ship a separate customer-facing CloudTrail configuration beyond this standard AWS integration; confirm that your organization’s account-level defaults and trail settings meet your audit and retention requirements.

4. Dynamic Secrets

  • Dynamic Secrets: For certain infrastructure use cases, we employ dynamic or rotating secrets (for example via Secrets Manager) that are generated or rotated on demand, ensuring short-lived credentials that automatically expire after use where applicable.

5. Monitoring and Alerts

  • Activity Monitoring: When CloudTrail and monitoring are configured for your environment, activity related to Secrets Manager and Parameter Store can be used for detection and response, including integration with our monitoring systems where applicable.

  • Alerting: Alerts are configured to notify the security team of any suspicious activities related to secrets access or modifications.

6. Incident Response

  • Revocation of Secrets: In the event of a potential breach, compromised secrets can be revoked and replaced using the appropriate AWS APIs (Secrets Manager for infrastructure secrets, Parameter Store operations for parameters and secure strings, subject to your change-management processes).

  • Audit and Investigation: Available audit data (including CloudTrail, subject to your trail configuration) and version history support post-incident analysis to identify root causes and enhance future security measures.