Security

User Identity and Access

• Table ACL: SQL based fine grained access
• IAM Instance profiles: Allow AWS clusters to assume an IAM role, so users can access resources without needing access to physical storage
• Securely stored access keys: Allow access to external storage
• Secrets API: Separate code and credentials

Encryption

• data-at-rest

  • Control plane is encrypted
  • Data plane supports local encryption
  • Customers can use encrypted storage buckets
  • Some tiers allow using CMK for managed services

• data-in-motion

  • control-plane <-> data-plane is encrypted
  • optional intra-cluster encryption
  • customer code can avoid unencrypted services (e.g. FTP)

Isolation

• Workspace level, each team/org uses different workspace
• cluster level using ACL
• single user cluster (private cluster)

Compliance

• SOC2 Type II, ISO27001 etc
• FedRAMP High, HITRUST, HiPPA, PCI
• GDPR, CCPA