Access to the Control Plane CLI using a Service Account is granted by the use of a generated token. During the token generation, the token can be copied to the clipboard or downloaded. Once the token modal is dismissed, the token will no longer be available for display or retrieval. If the token is lost or compromised, it must be regenerated.
All communications from external sources use end-to-end TLS to the destination Workloads.The server certificates are generated by Let’s Encrypt and are rotated every 60 days.Default workload endpoints allow TLS 1.2 or greater with the following ciphers:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
When using a Domain the allowed TLS version and ciphers can be customized.
All internal communication between workloads and from workloads to other Control Plane services use mutual TLS (mTLS) with a unique client certificate per workload.Workload client certificates are rotated every hour and utilize TLSv1.2 with the ECDHE-RSA-AES256-GCM-SHA384 cipher.
Control Plane uses industry-standard firewall technology. All Workloads are configured to be fully restricted with no internal or external communication enabled by default, except for internal health check monitoring.
Inbound access to a Workload can be enabled/disabled from the entire Internet or limited to a specific list of CIDRs.Outbound access from a Workload can be enabled/disabled to the entire Internet or limited to a specific list of CIDRs or hostnames.
Every Workload receives discovery information for other Workloads across the Org but communication is disabled by default using firewalls and client certificate validation.
All Workloads are isolated at the Org level based on the use of:
Host-based Firewalls
Client Certificates
Proxies
Direct communications between containers residing in other Orgs are not possible, external endpoints can be used to communicate with workloads in other Orgs. Isolation between Workloads within an Org is defined based on the Workloads’ internal firewall configuration.
Leverages AWS roles and policies to create least privileged, short-lived tokens that are assigned to Workloads during startup.
Network traffic between Control Plane and the AWS API is over a TLS connection.
During the creation of a Cloud Account targeting AWS, a policy within an AWS account is created that allows the Control Plane AWS account the ability to perform the following actions:
Leverages Azure Function Apps to create least privileged, short-lived tokens that are assigned to Workloads during startup.
Network traffic between Control Plane and the Azure Function App endpoint is over a TLS connection and the request body is signed and encrypted using JOSE.
The Function App is assigned the owner role within the Azure subscription. Users with permissions to create/update Workloads identities have the ability to assign any scope and roles within the subscription.
All logs generated by an Org are only accessible by a user having the readLogspermission.Logs are retained for 30 days by default.Rentention settings for logs, metrics and traces can be adjusted on the Org.
Org secrets are encrypted at rest using envelope encryption and use TLS while in transit. Secrets are stored on multiple cloud providers using cloud-based Hardware Security Modules (HSM).
Security updates and patches are applied regularly and meet all compliance and regulation requirements.For zero-day vulnerabilities, updates are applied as soon as they are available and verified.All scheduled maintenance that could cause downtime will be communicated via email and Discord.If you find any security issues, or have any security questions, please email secops@controlplane.com.