Pulumi has enhanced its secret management capabilities to support "Cloud Secret Providers," allowing users to maintain exclusive access to their sensitive data when provisioning infrastructure. Initially, Pulumi offered secret encryption via passphrase or its service backend, but these options lacked the control users desired. Now, Pulumi integrates with several encryption services, including AWS KMS, Azure KeyVault, Google Cloud KMS, and HashiCorp Vault. The article provides a detailed example of utilizing AWS KMS to encrypt secret values in a Pulumi stack, including setting up a KMS key, configuring IAM roles, and ensuring secure access through key policies. It demonstrates how to verify encryption by attempting Pulumi operations without access to the KMS key and explains how to manage Pulumi state files to ensure data remains encrypted. This approach not only strengthens security but also aims to facilitate compliance audits by ensuring that sensitive values are securely encrypted and accessible only to authorized users.