creating-secrets-using-best-practices
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFE
Full Analysis
- [Sensitive Data Protection]: The skill includes a mandatory constraint that secret values must never be logged or displayed in the agent's output. This is a robust safeguard against accidental credential exposure during the secret creation process.
- [Implementation of Least-Privilege]: The instructions guide the agent to create highly scoped IAM policies and KMS key policies. By avoiding wildcards and enforcing conditions like
aws:SecureTransport, the skill adheres to security best practices for resource access control. - [Configuration via External Sources]: The procedure allows for secret configuration to be provided through local files or URLs. While this is a standard feature for automation, it represents a data ingestion point. The skill manages this risk by requiring upfront parameter validation and structured JSON processing.
- [Auditing and Monitoring]: The workflow integrates CloudTrail auditing and CloudWatch monitoring/alarms, ensuring that all operations performed by the skill are logged and that unusual access patterns can be detected.
Audit Metadata