SecretFetch is designed with security as a top priority. This document outlines our security practices, design decisions, and recommendations for secure usage in enterprise environments.

• SecretFetch is a pass-through library that never stores secrets persistently
• In-memory caching is optional and configurable
• Cache entries are automatically cleared after their TTL expires
• Memory is securely zeroed when cache entries are removed

• Uses official AWS SDK with best practices
• Supports AWS IAM roles and instance profiles
• Compatible with AWS KMS for additional encryption
• No AWS credentials are ever stored in the library
• Supports AWS VPC endpoints for secure internal access

• Follows AWS IAM least-privilege principle
• Supports fine-grained AWS resource policies
• Compatible with AWS Organizations and SCPs
• Works with AWS CloudTrail for audit logging

• GDPR-compliant secret handling
• SOC 2 compatible practices
• Supports audit logging
• Zero persistent storage (stateless operation)

SecretFetch implements best-effort secure memory handling within Go's constraints:

1. Garbage Collection: Due to Go's garbage collection, we cannot guarantee when memory will be fully cleared from the system. The library implements explicit zeroing when values are cleared, but intermediate copies may exist in memory until garbage collected.

2. String Immutability: Go strings are immutable and may be copied by the runtime. While we implement secure handling for our internal byte slices, we cannot prevent copies when returning string values.

3. Best Practices:

   • Use SecureCache option for sensitive values
   • Call Clear() explicitly when done with secrets
   • Be aware that perfect memory security is not possible in pure Go
   • Consider using OS-level memory protection for highest security needs

1. Use IAM Roles with minimal permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:region:account:secret:prefix/*"
            ]
        }
    ]
}

2. Enable AWS CloudTrail logging:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        }
    ]
}

1. Always use HTTPS when accessing AWS services:

opts := &secretfetch.Options{
    AWS: &aws.Config{
        EndpointResolver: aws.EndpointResolverFunc(func(service, region string) (aws.Endpoint, error) {
            return aws.Endpoint{
                URL:           "https://secretsmanager.region.amazonaws.com",
                SigningRegion: region,
            }, nil
        }),
    },
}

2. Configure secure caching:

opts := &secretfetch.Options{
    CacheDuration: 5 * time.Minute,  // Short cache duration
    PreloadARNs: true,              // Preload to reduce API calls
}

3. Use pattern validation to prevent injection:

type Config struct {
    // Validate to prevent SQL injection
    DBQuery string `secret:"env=QUERY,pattern=^[a-zA-Z0-9_]+$"`
}

• Use AWS IAM roles instead of access keys
• Implement role-based access control (RBAC)
• Follow the principle of least privilege
• Regularly rotate credentials

• Use AWS PrivateLink/VPC Endpoints
• Enable AWS VPC Flow Logs
• Implement network segmentation
• Use security groups to restrict access

• Enable AWS CloudTrail
• Set up CloudWatch alarms
• Monitor API usage patterns
• Regular security reviews

• Document secret access patterns
• Maintain access logs
• Regular security assessments
• Compliance reporting

SecretFetch supports security auditing through:

1. AWS CloudTrail Integration:

• All AWS Secrets Manager API calls are logged
• Access patterns can be monitored
• Anomaly detection possible

2. Logging Capabilities:

opts := &secretfetch.Options{
    OnSecretAccess: func(ctx context.Context, secretID string) {
        log.Printf("Secret accessed: %s", secretID)
    },
}

3. Metrics Collection:

opts := &secretfetch.Options{
    MetricsCollector: &metrics.SecurityMetrics{
        OnSecretAccess: func(metric metrics.SecretAccessMetric) {
            prometheus.SecretAccessCounter.Inc()
        },
    },
}

For security concerns or to report vulnerabilities:

1. Open a security advisory on GitHub
2. Email: au.brayden.moon@gmail.com
3. Follow our responsible disclosure policy

While the library itself is not certified, it is designed to be used in certified environments:

• SOC 2
• ISO 27001
• HIPAA
• GDPR
• PCI DSS

We maintain a security-first approach:

1. Regular security patches
2. Dependency updates
3. Vulnerability scanning
4. Third-party security audits

For enterprise customers, we offer:

1. Direct security consultation
2. Custom security configurations
3. Integration support
4. Compliance documentation

We follow semantic versioning and provide:

• Security patches for the latest major version
• Critical updates for previous versions
• Regular dependency updates
• Vulnerability notifications