This document details the Red Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed Red Hat OpenShift Service on AWS (ROSA).
AWS - Amazon Web Services
CEE - Customer Experience and Engagement (Red Hat Support)
CI/CD - Continuous Integration / Continuous Delivery
CVE - Common Vulnerabilities and Exposures
PVs - Persistent Volumes
ROSA - Red Hat OpenShift Service on AWS
SRE - Red Hat Site Reliability Engineering
VPC - Virtual Private Cloud
Security and regulation compliance includes tasks such as the implementation of security controls and compliance certification.
Red Hat defines and follows a data classification standard to determine the sensitivity of data and highlight inherent risk to the confidentiality and integrity of that data while it is collected, used, transmitted, stored, and processed. Customer-owned data is classified at the highest level of sensitivity and handling requirements.
Red Hat OpenShift Service on AWS (ROSA) uses AWS Key Management Service (KMS) to help securely manage keys for encrypted data. These keys are used for control plane, infrastructure, and worker data volumes that are encrypted by default. Persistent volumes (PVs) for customer applications also use AWS KMS for key management.
When a customer deletes their ROSA cluster, all cluster data is permanently deleted, including control plane data volumes and customer application data volumes, such as persistent volumes (PV).
Red Hat performs periodic vulnerability scanning of ROSA using industry standard tools. Identified vulnerabilities are tracked to their remediation according to timelines based on severity. Vulnerability scanning and remediation activities are documented for verification by third-party assessors in the course of compliance certification audits.
Each ROSA cluster is protected by a secure network configuration using firewall rules for AWS Security Groups. ROSA customers are also protected against DDoS attacks with AWS Shield Standard.
Customers can optionally configure their ROSA cluster endpoints, such as web console, API, and application router, to be made private so that the cluster control plane and applications are not accessible from the Internet. Red Hat SRE still requires Internet-accessible endpoints that are protected with IP allow-lists.
AWS customers can configure a private network connection to their ROSA cluster through technologies such as AWS VPC peering, AWS VPN, or AWS Direct Connect.
Red Hat performs periodic penetration tests against ROSA. Tests are performed by an independent internal team by using industry standard tools and best practices.
Any issues that may be discovered are prioritized based on severity. Any issues found belonging to open source projects are shared with the community for resolution.
Red Hat OpenShift Service on AWS follows common industry best practices for security and controls. The certifications are outlined in the following table.
Compliance | Red Hat OpenShift Service on AWS (ROSA) | Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) |
---|---|---|
HIPAA Qualified[1] |
Yes |
Yes |
ISO 27001 |
Yes |
Yes |
ISO 27017 |
Yes |
Yes |
ISO 27018 |
Yes |
Yes |
PCI DSS 4.0 |
Yes |
Yes |
SOC 1 Type 2 |
Yes |
Yes |
SOC 2 Type 2 |
Yes |
Yes |
SOC 3 |
Yes |
Yes |
FedRAMP High[2] |
Yes (GovCloud requisite) |
No |
For more information about Red Hat’s HIPAA Qualified ROSA offerings, see the HIPAA Overview.
For more information about ROSA on GovCloud, see the FedRAMP Marketplace ROSA Agency and ROSA JAB listings.
See Red Hat Subprocessor List for information on SRE residency.
For more information about customer or shared responsibilities, see the ROSA Responsibilities document.
For more information about ROSA and its components, see the ROSA Service Definition.