Secrets

In order for some Connectors to operate, they require credentials to be stored within Wundaflow. For example, to use any of our Amazon Web Services Connectors, you will need to store AWS IAM credentials.

We take the security of 3rd party credentials very seriously.

All credentials are stored encrypted within a secrets vault (AWS Secrets Manager) and the web UI/front-end only possesses write access. Workers, conversely, only have read access. Our Worker instances are entirely decoupled from the front-end and API, do not have public IP addresses assugned and do not have direct internet access.

Best practice

We recommend that you adhere to the following best practices when sharing credentials with Wundaflow:

  1. Use the Principle of Least Privilege (PoLP). Always give the user the minimum possible permissions scope in order to facilitate the required actions. For example, in the case of the AWS Lambda connector, the IAM user should have execute permission to only the specific function name you need to call in the specific region specified.

  2. Periodically rotate credentials and check permissions. Do not 'set and forget'.

  3. Configure access logging and monitor for any unexpected activity. If discovered, immediately revoke the credentials.

Last updated