Understanding security for Red Hat OpenShift Service on AWS
This document details the Red Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed Red Hat OpenShift Service on AWS (ROSA).
-
AWS - Amazon Web Services
-
CEE - Customer Experience and Engagement (Red Hat Support)
-
CI/CD - Continuous Integration / Continuous Delivery
-
CVE - Common Vulnerabilities and Exposures
-
PVs - Persistent Volumes
-
ROSA - Red Hat OpenShift Service on AWS
-
SRE - Red Hat Site Reliability Engineering
-
VPC - Virtual Private Cloud
Security and regulation compliance
Security and regulation compliance includes tasks such as the implementation of security controls and compliance certification.
Data classification
Red Hat defines and follows a data classification standard to determine the sensitivity of data and highlight inherent risk to the confidentiality and integrity of that data while it is collected, used, transmitted, stored, and processed. Customer-owned data is classified at the highest level of sensitivity and handling requirements.
Data management
Red Hat OpenShift Service on AWS (ROSA) uses AWS Key Management Service (KMS) to help securely manage keys for encrypted data. These keys are used for control plane, infrastructure, and worker data volumes that are encrypted by default. Persistent volumes (PVs) for customer applications also use AWS KMS for key management.
When a customer deletes their ROSA cluster, all cluster data is permanently deleted, including control plane data volumes and customer application data volumes, such as persistent volumes (PV).
Vulnerability management
Red Hat performs periodic vulnerability scanning of ROSA using industry standard tools. Identified vulnerabilities are tracked to their remediation according to timelines based on severity. Vulnerability scanning and remediation activities are documented for verification by third-party assessors in the course of compliance certification audits.
Network security
Firewall and DDoS protection
Each ROSA cluster is protected by a secure network configuration using firewall rules for AWS Security Groups. ROSA customers are also protected against DDoS attacks with AWS Shield Standard.
Private clusters and network connectivity
Customers can optionally configure their ROSA cluster endpoints, such as web console, API, and application router, to be made private so that the cluster control plane and applications are not accessible from the Internet. Red Hat SRE still requires Internet-accessible endpoints that are protected with IP allow-lists.
AWS customers can configure a private network connection to their ROSA cluster through technologies such as AWS VPC peering, AWS VPN, or AWS Direct Connect.
Penetration testing
Red Hat performs periodic penetration tests against ROSA. Tests are performed by an independent internal team by using industry standard tools and best practices.
Any issues that may be discovered are prioritized based on severity. Any issues found belonging to open source projects are shared with the community for resolution.
Compliance
Red Hat OpenShift Service on AWS follows common industry best practices for security and controls. The certifications are outlined in the following table.
| Compliance | Red Hat OpenShift Service on AWS (ROSA) | Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) |
|---|---|---|
HIPAA Qualified |
Yes |
No |
ISO 27001 |
Yes |
No |
ISO 27017 |
Yes |
No |
ISO 27018 |
Yes |
No |
PCI DSS |
Yes |
No |
SOC 2 Type 2 |
Yes |
No |
SOC 3 |
Yes |
No |
-
See Red Hat Subprocessor List for information on SRE residency.
-
For more information about customer or shared responsibilities, see the ROSA Responsibilities document.
-
For more information about ROSA and its components, see the ROSA Service Definition.