Secure property store for cloud applications

What Is Cerberus

What Is Cerberus

Cerberus solves a common problem encountered when running cloud applications: how to safely store and manage secrets (e.g. database passwords, API keys, etc.).


At Nike, we have a complex environment with many different applications, technology stacks, AWS accounts, and teams. Cerberus was developed in this environment to increase agility and decrease risk by securely managing secrets, like passwords and API keys, as well as non-sensitive dynamic run-time properties, such as feature flags and logging levels.


  • Uses the AWS Encryption SDK and KMS to manage the actual encryption at rest.
  • Operationalized for AWS including a CLI, Cloud Formation templates, edge security, and IAM integration.
  • Exposes all functionality via a REST API for easy integration.
  • Includes a Dashboard, a self-service Web UI, where teams can manage properties and access control.
  • Provides client libraries (e.g. Java, Node, Ruby) that can be used by Cloud applications (EC2 or Lambda) to retrieve properties at run-time.

Cerberus infrastructure overview diagram

Cerberus is a cloud native system that relies heavily on AWS infrastructure. It would take significant work to enable it in other environments.

What Cerberus is NOT

Cerberus is designed for storing application secrets such as passwords, API keys, and certificates. It is not meant to be a general purpose Key/Value store for storing any kind of data. It is not a replacement for data stores like Cassandra, DynamoDB, or Redis.