openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/rosa-policy-security-and-compliance.adoc
Olga Tikhomirova 028f09ddf9 OSDOCS-16122 - Adding missing content types to ROSA
2025-11-05 19:06:33 +00:00

143 lines
6.9 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
//Modules included in the following assemblies:
//
// * rosa_architecture/rosa_policy_service_definition/rosa-policy-shared-responsibility.adoc
:_mod-docs-content-type: CONCEPT
[id="rosa-policy-security-compliance_{context}"]
= Security and regulation compliance
The following table outlines the the responsibilities in regards to security and regulation compliance:
[cols="2a,3a,3a",options="header"]
|===
|Resource
|Service responsibilities
|Customer responsibilities
|Logging
|**Red{nbsp}Hat**
- Send cluster audit logs to a Red{nbsp}Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
|- Analyze application logs for security events.
- Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
|Virtual networking management
|**Red{nbsp}Hat**
- Monitor virtual networking components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|Virtual storage management
|**Red{nbsp}Hat**
- Monitor virtual storage components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
- Configure the ROSA service to encrypt control plane, infrastructure, and worker node volume data by default using the
AWS managed Key Management Service (KMS) key that Amazon EBS provides.
- Configure the ROSA service to encrypt customer persistent volumes that use the default storage class with the AWS
managed KMS key that Amazon EBS provides.
- Provide the ability for the customer to use a customer managed AWS KMS key to encrypt persistent volumes.
- Configure the container image registry to encrypt image registry data at rest using server-side encryption with Amazon S3 managed keys (SSE-3).
- Provide the ability for the customer to create a public or private Amazon S3 image registry to protect their container
images from unauthorized user access.
|- Provision Amazon EBS volumes.
- Manage Amazon EBS volume storage to ensure enough storage is available to mount as a volume in ROSA.
- Create the persistent volume claim and generate a
persistent volume though OpenShift Cluster Manager.
|Virtual compute management
|**Red{nbsp}Hat**
- Monitor virtual compute components for potential issues and security threats.
- Use public AWS tools for additional monitoring and protection.
|- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
|AWS software (public AWS services)
|**AWS**
**Compute:** Secure Amazon EC2, used for ROSA
used for ROSA
ifdef::openshift-rosa[]
control plane, infrastructure, and worker nodes.
endif::openshift-rosa[]
ifdef::openshift-rosa-hcp[]
control plane and worker nodes.
endif::openshift-rosa-hcp[]
For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[
Infrastructure security in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon Elastic Block Store (EBS),
used for ROSA
ifdef::openshift-rosa[]
control plane, infrastructure, and worker node volumes,
endif::openshift-rosa[]
ifdef::openshift-rosa-hcp[]
control plane and worker node volumes,
endif::openshift-rosa-hcp[]
as well as Kubernetes persistent volumes. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2] in the Amazon EC2 User Guide.
**Storage:** Provide AWS KMS, which ROSA uses to
ifdef::openshift-rosa[]
encrypt control plane, infrastructure, worker node volumes and persistent volumes.
endif::openshift-rosa[]
ifdef::openshift-rosa-hcp[]
encrypt control plane, worker node volumes and persistent volumes.
endif::openshift-rosa-hcp[]
For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption] in the Amazon EC2 User Guide.
**Storage:** Secure Amazon S3, used for the ROSA services built-in container image registry. For more information, see link:https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html[Amazon S3 security] in the S3 User Guide.
**Networking:** Provide security capabilities and services
to increase privacy and control network access on AWS global infrastructure, including network firewalls built into
Amazon VPC, private or dedicated network connections, and automatic encryption of all traffic on the AWS global
and regional networks between AWS secured facilities. For more information, see the link:https://aws.amazon.com/compliance/shared-responsibility-model/[AWS Shared Responsibility Model]
and link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/infrastructure-security.html[Infrastructure security] in the Introduction to AWS Security whitepaper.
|- Ensure security best practices and the principle of least
privilege are followed to protect data on the Amazon EC2
instance. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/infrastructure-security.html[Infrastructure security in Amazon EC2]
and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html[Data protection in Amazon EC2].
- Monitor optional configured virtual networking components for
potential issues and security threats.
- Configure any necessary firewall rules or customer data center protections as required.
- Create an optional customer managed KMS key and encrypt
the Amazon EBS persistent volume using the KMS key.
- Monitor the customer data in virtual storage
for potential issues and security threats. For more information,
see the link:https://aws.amazon.com/compliance/shared-responsibility-model/[shared responsibility model].
|Hardware/AWS global infrastructure
|**AWS**
- Provide the AWS global infrastructure that ROSA uses to deliver service functionality. For more information regarding AWS security
controls, see link:https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/security-of-the-aws-infrastructure.html[Security of the AWS Infrastructure] in the AWS whitepaper.
- Provide documentation for the customer to
manage compliance needs and check their
security state in AWS using tools such as
AWS Artifact and AWS Security Hub. For
more information, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/compliance-validation.html[Compliance
validation for ROSA] in the ROSA User
Guide.
|- Configure, manage, and monitor customer applications and data
to ensure application and data security controls are properly
enforced.
- Use IAM tools to apply the appropriate permissions to AWS
resources in the customer account.
|===
View Git Blame Copy Permalink