Security Hardening
Self-hosting is only available with Pulumi Business Critical. If you would like to evaluate the self-hosted Pulumi Cloud, sign up for the 30-day trial or contact us.
This page covers security hardening recommendations for production self-hosted Pulumi Cloud deployments. For authentication configuration, see SAML SSO.
Network security
- Place the database and application containers in private subnets with no direct internet access.
- Use security groups or network policies to restrict traffic between tiers.
- Consider using an ingress allowlist (
ingressAllowListconfig) to restrict access by IP range. - All self-hosted installers support configuring CIDR-based allowlists on the ingress controller.
Encryption
- At rest: Enable storage encryption on database clusters and object storage buckets.
- In transit: Enforce TLS on all connections (load balancer, database, object storage).
- Secrets: Store sensitive configuration (license keys, TLS certificates, SMTP credentials, database passwords) using
pulumi config set --secret.
SMTP and email
Configure SMTP to enable email-based features:
- User invitation workflows
- Organization notifications
- Password reset emails (only relevant if not using SAML SSO)
SMTP is optional if your organization uses SAML SSO exclusively and does not need email notifications. See the API component reference for SMTP environment variables.
CAPTCHA and bot protection
Configure Cloudflare Turnstile for signup protection. Despite the recaptcha naming, these config keys accept Cloudflare Turnstile credentials:
- Set
recaptchaSiteKey(Turnstile site key) - Set
recaptchaSecretKey(Turnstile secret key)
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.