Skip to content

Multi-Cloud Sync (PRO)

PRO Feature

Multi-cloud sync requires a PRO tier license.

Sync replicates Azure Key Vault secrets and certificates to AWS and GCP for disaster recovery and multi-cloud deployments.

Overview

Sync enables multi-cloud credential management:

  • Azure to AWS: Secrets Manager, Parameter Store, ACM
  • Azure to GCP: Secret Manager, Certificate Manager
  • Scheduled sync: Automatic synchronization on schedule
  • Manual trigger: On-demand sync for immediate updates
  • Exclusion rules: Skip specific secrets from sync
  • Conflict detection: Handle version conflicts gracefully

Supported Targets

AWS

Target Description
Secrets Manager Full secrets with metadata
Parameter Store Simple key-value storage
ACM (Certificate Manager) SSL/TLS certificates

GCP

Target Description
Secret Manager Full secrets with metadata
Certificate Manager SSL/TLS certificates

How Sync Works

Sync Flow

Azure Key Vault                    Target Cloud
┌─────────────────┐                ┌─────────────────┐
│ kv-production   │                │ AWS Secrets Mgr │
│                 │                │                 │
│ ├── api-key ────┼────Sync────────│──► api-key      │
│ ├── db-conn ────┼────Sync────────│──► db-conn      │
│ └── cert-tls ───┼────Sync────────│──► ACM cert     │
└─────────────────┘                └─────────────────┘

What Gets Synced

Azure AWS Secrets Manager Notes
Secret name Secret name Configurable naming
Secret value Secret value Encrypted in transit
Version Version AWS version tracking
Tags Tags Optional tag sync

What Doesn't Get Synced

  • Version history (only current version)
  • Access policies
  • Azure-specific metadata
  • Key Vault keys (only secrets/certs)

Provider Configuration

AWS Configuration

Create IAM User

# Create IAM policy
aws iam create-policy \
  --policy-name certifyclouds-sync \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "secretsmanager:CreateSecret",
          "secretsmanager:UpdateSecret",
          "secretsmanager:PutSecretValue",
          "secretsmanager:TagResource"
        ],
        "Resource": "arn:aws:secretsmanager:*:*:secret:certifyclouds/*"
      }
    ]
  }'

# Create IAM user
aws iam create-user --user-name certifyclouds-sync

# Attach policy
aws iam attach-user-policy \
  --user-name certifyclouds-sync \
  --policy-arn arn:aws:iam::ACCOUNT:policy/certifyclouds-sync

# Create access key
aws iam create-access-key --user-name certifyclouds-sync

Configure in CertifyClouds

  1. Go to Automation > Sync
  2. Click Configure AWS
  3. Enter:
  4. AWS Access Key ID
  5. AWS Secret Access Key
  6. AWS Region (e.g., us-east-1)
  7. Test connection
  8. Save

GCP Configuration

Create Service Account

# Create service account
gcloud iam service-accounts create certifyclouds-sync \
  --display-name="CertifyClouds Sync"

# Grant Secret Manager permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:certifyclouds-sync@PROJECT.iam.gserviceaccount.com" \
  --role="roles/secretmanager.admin"

# Create key
gcloud iam service-accounts keys create key.json \
  --iam-account=certifyclouds-sync@PROJECT.iam.gserviceaccount.com

Configure in CertifyClouds

  1. Go to Automation > Sync
  2. Click Configure GCP
  3. Upload service account JSON key
  4. Enter GCP Project ID
  5. Test connection
  6. Save

Creating Sync Records

From the UI

  1. Go to Automation > Sync
  2. Click Add Sync
  3. Configure:
  4. Source: Select Azure Key Vault secret
  5. Target: AWS or GCP
  6. Target Service: Secrets Manager, Parameter Store, etc.
  7. Target Name: Name in target cloud (auto-generated or custom)
  8. Schedule: Auto-sync interval
  9. Save

Naming Conventions

Configure how secrets are named in the target cloud:

Option Example Result in AWS
Keep original api-key api-key
Add prefix certifyclouds/{name} certifyclouds/api-key
Add vault name {vault}/{name} kv-prod/api-key
Custom myapp-{name}-sync myapp-api-key-sync

Sync Scheduling

Automatic Sync

Configure sync to run on a schedule:

Interval Description
1 hour Near real-time sync
6 hours Standard sync
24 hours Daily sync
Custom Cron expression

Manual Sync

Trigger sync immediately:

  1. Go to Automation > Sync
  2. Select sync records
  3. Click Sync Now
  4. Monitor progress

Sync on Change

Sync automatically when source secret changes:

  1. Enable Sync on Change for the record
  2. CertifyClouds detects changes during discovery scans
  3. Triggers sync within minutes of change

Sync Status

Status Indicators

Status Description
Synced Target is up to date
Pending Sync scheduled
Syncing Sync in progress
Failed Last sync failed
Unknown Status not determined

Sync History

View sync history for each record:

  1. Click on sync record
  2. View History tab
  3. See:
  4. Timestamp
  5. Status
  6. Duration
  7. Any errors

Conflict Handling

Version Conflicts

When target secret was modified outside CertifyClouds:

Strategy Behavior
Overwrite Azure version always wins
Skip Don't sync if conflict detected
Alert Notify and pause sync

Configure Conflict Handling

  1. Go to Settings > Sync
  2. Set Conflict Strategy
  3. Save

Exclusions

Exclude Secrets from Sync

  1. Go to Settings > Sync > Exclusions
  2. Add pattern:
  3. name:*-local - Skip secrets ending in "-local"
  4. vault:kv-dev - Skip entire vault
  5. tag:no-sync=true - Skip tagged secrets
  6. Save

Common Exclusions

  • Development/test secrets
  • Secrets with personal data
  • Secrets only used in Azure
  • Deprecated secrets

Security

Credential Storage

AWS/GCP credentials are stored encrypted:

  • Encrypted at rest using Fernet (AES-128-CBC + HMAC)
  • Key derived from SECRET_KEY using PBKDF2
  • Never logged or exposed in API responses

Data in Transit

All sync operations use TLS:

  • Azure to CertifyClouds: TLS 1.2+
  • CertifyClouds to AWS: TLS 1.2+ (AWS SDK)
  • CertifyClouds to GCP: TLS 1.2+ (GCP SDK)

Audit Trail

All sync operations are logged:

  • Who initiated (user or system)
  • What was synced
  • To where
  • Success/failure status

API Reference

List Sync Records

GET /api/automation/sync/records

Create Sync Record

POST /api/automation/sync/records
Content-Type: application/json

{
  "source_vault": "kv-production",
  "source_secret": "api-key",
  "target_provider": "aws",
  "target_service": "secretsmanager",
  "target_name": "certifyclouds/api-key",
  "target_region": "us-east-1",
  "schedule_hours": 6,
  "enabled": true
}

Trigger Sync

POST /api/automation/sync/records/{record_id}/sync

Get Sync Status

GET /api/automation/sync/records/{record_id}/status

Configure Provider

POST /api/automation/sync/providers/aws
Content-Type: application/json

{
  "access_key_id": "AKIA...",
  "secret_access_key": "...",
  "region": "us-east-1"
}

Troubleshooting

"AWS credentials invalid"

Cause: Access key/secret incorrect or expired.

Fix: - Verify credentials in AWS IAM console - Create new access key if needed - Check IAM policy permissions

"Permission denied on target"

Cause: IAM policy doesn't allow the operation.

Fix: - Review IAM policy for secretsmanager:* permissions - Check resource ARN matches secret path - Ensure correct region is configured

"Secret not found in source"

Cause: Source secret was deleted or moved.

Fix: - Run discovery to refresh secret list - Update sync record with new source - Delete orphaned sync records

"Sync timeout"

Cause: Network or rate limiting issues.

Fix: - Check network connectivity to AWS/GCP - Reduce concurrent sync operations - Retry with exponential backoff

Best Practices

  1. Use prefixes: Add certifyclouds/ prefix to identify synced secrets
  2. Limit scope: Only sync secrets that need multi-cloud access
  3. Monitor sync status: Set up alerts for failed syncs
  4. Regular audits: Review sync records quarterly
  5. Secure credentials: Rotate AWS/GCP credentials periodically
  6. Test DR: Regularly verify synced secrets work in target cloud