All Azure and AWS service principal credentials stored in CloudRift are encrypted at rest using AES-256 Fernet symmetric encryption before being written to the database. Encryption keys are managed at the application layer and rotated periodically.
Credentials are decrypted only at the moment they are needed for an API call and are never logged, transmitted to third parties, or stored in plaintext.
CloudRift implements Role-Based Access Control (RBAC) with five defined roles: Owner, Admin, Developer, Analyst, and Viewer. Each role has precisely scoped permissions — viewers cannot delete resources, analysts cannot modify configurations.
Multi-Factor Authentication (TOTP) is available for all accounts and can be enforced organization-wide by administrators.
Every significant action in CloudRift is recorded in an immutable audit log — including logins, scans, resource deletions, plan changes, and governance assessments. Audit logs are accessible to owners and admins within the platform.
CloudRift runs on a managed Kubernetes infrastructure with TLS 1.2+ enforced on all endpoints. The platform uses HTTPS exclusively — no unencrypted HTTP connections are accepted.
CloudRift operates with a minimal permission model. The Permission Setup Wizard lets administrators choose exactly which level of access to grant:
| Feature | Read-Only Tier | Standard Tier | Full Access Tier |
|---|---|---|---|
| Resource scanning | |||
| Cost analysis | |||
| Identity/MFA audit | |||
| Governance assessments | |||
| VM resize / deletion | |||
| Monitoring setup | |||
| Policy deployment | |||
| Governance auto-fix |
CloudRift processes Azure/AWS metadata (resource names, types, costs, configurations) to provide optimization recommendations. We do not access, read, or store the contents of your workloads — databases, file storage, application code, or user data within your cloud resources.
If you discover a security vulnerability in CloudRift, please report it responsibly to security@cloudrift.tech. We commit to acknowledging reports within 48 hours and resolving critical issues within 14 days.
Do not publicly disclose vulnerabilities without giving us reasonable time to respond.
Questions about security? Contact our security team.
security@cloudrift.tech