| My experience is similar to the other comments here: - A combination of sops[1] and AWS Parameter Store might be a good candidate for (4) - (5) can be solved with AWS SSO / OIDC (also: platforms that offer OIDC, usually support that feature for free, and a variety of them can be configured via Terraform) - For (6), there are solutions like Atlantis[2] for Terraform, but I am not familiar with alternatives for Pulumi and Ansible. Might be a good idea to spend some time and build a pipeline with whichever CI/CD platform you are using (bonus: GitHub Actions supports OIDC auth with AWS as an IAM role[3], no secrets nor credentials required!) - For (7), you can create a separate AWS account and manage it with AWS Organizations (or not) - For (8), 1pass[4] for any credentials that requires username/password combo (non-tech/breakglass account). Groups can be created to limit certain credentials to subsets of users [1] https://github.com/mozilla/sops [2] https://www.runatlantis.io/docs/repo-level-atlantis-yaml.htm... [3] https://docs.github.com/en/actions/deployment/security-harde... [4] https://support.1password.com/custom-groups/ |