Atmos ProAtmos Pro
Trust Center
Contact security

Atmos Pro

Atmos Pro is a hosted platform for managing Terraform and OpenTofu infrastructure with drift detection, deployment provenance, change governance, and audit logging. This portal contains our security and compliance documentation.

security@cloudposse.comPrivacy Policy

Purchasing Atmos Pro? Visit Procurement for vendor details, agreements, and payment options.

OverviewResourcesControlsSubprocessorsFAQUpdates

Controls

Infrastructure securityOrganizational securityProduct securityInternal security proceduresData and privacy

Infrastructure security

How Atmos Pro secures its GitHub integration, isolates execution, and protects data in transit and at rest.

ControlStatus
No standing access to customer infrastructure clouds
Atmos Pro holds no credentials for your infrastructure cloud accounts (AWS, Azure, GCP). It integrates only with GitHub, through a GitHub App that uses short-lived installation tokens.
Short-lived cloud credentials for your pipelines (OIDC/STS)
Optionally, Atmos Pro can mint short-lived OIDC/STS credentials per run for your own CI/CD pipelines to authenticate to your cloud. These credentials are scoped and short-lived; Atmos Pro itself never gains standing access to your cloud.
Least-privilege GitHub App scopes
Repository access is granted through a GitHub App with narrowly scoped, reviewable permissions — not a personal access token.
Encryption in transit
All traffic to and from Atmos Pro is encrypted with TLS 1.2+.
Encryption at rest
Application data is stored on managed infrastructure (Vercel, Neon Postgres) with encryption at rest enabled by default.
Unique production authentication enforced
Access to production systems requires unique, individually attributable credentials — no shared accounts.
Remote access MFA enforced
Multi-factor authentication is required to access production systems and source control.
Encryption key access restricted
Access to encryption keys and secrets is restricted to authorized users with a business need.
Production access restricted
System and database access in production is restricted to authorized personnel.
Access revoked upon termination
Access to production systems is removed via the offboarding checklist when a team member leaves.
Managed, hardened hosting
Production runs on managed platforms (Vercel, Neon), inheriting their physical, network, and firewall controls rather than self-managed servers.
Web application firewall (WAF)
A managed web application firewall sits in front of Atmos Pro, with bot mitigation, rate limiting, and configurable rules. Edge traffic is continuously monitored.
Webhook signature verification
Inbound GitHub webhooks are verified against a shared secret before processing.
Egress IP allow-listing
Outbound traffic for customer-initiated runs originates from a documented, stable set of egress IPs that can be allow-listed.
Infrastructure monitoring and alerting
Production health and errors are continuously monitored with alerting (Sentry, OpenTelemetry).