Bring Your Own Keys With Pulumi ESC

Pulumi has introduced support for Customer-Managed Keys (CMKs) in Pulumi ESC, allowing organizations to control the encryption of their secrets and state, which is crucial for meeting compliance standards such as HIPAA, GDPR, and FedRAMP. This feature enables customers to use their own keys for encryption, giving them control over key lifecycle, revocation, audit trails, and rotation policies while maintaining transparency for secret consumers. The integration with Pulumi Cloud Organizations ensures that all existing data keys are re-encrypted with CMKs, and the setup process is straightforward, involving the creation and configuration of a KMS key in an AWS account. Currently available for Pulumi Enterprise or Business Critical plans, the feature supports AWS KMS, with plans to expand support to other cloud providers like Azure Key Vault and Google Cloud KMS. Pulumi encourages user feedback through various channels as they continue to develop this feature.