Security Details

This section provides detailed security tables and reference material for the DR infrastructure.

EKS Access Management
Principal Access Level Scope Purpose
Deployer Role/User AmazonEKSClusterAdminPolicy Cluster-wide Terraform deployments and cluster management
DR Failover Lambda AmazonEKSClusterAdminPolicy Namespace: logging Scale humio-operator during automated failover
Application ServiceAccounts IRSA-based Namespace-scoped Pod-level access to AWS services
IRSA (IAM Roles for Service Accounts)

LogScale pods use IRSA for secure, credential-free access to AWS services:

Permission Purpose
s3:GetObject, s3:PutObject Read/write log data and snapshots
s3:ListBucket List bucket contents for segment discovery
s3:DeleteObject Remove expired segments per retention policy
kms:Decrypt, kms:GenerateDataKey Encrypt/decrypt S3 objects
Encryption at Rest
Component Encryption Method Key Management
S3 Bucket (log data) SSE-S3 with customer key LogScale-managed encryption key
S3 Bucket (Terraform state) SSE-S3 or SSE-KMS AWS-managed or customer-managed KMS key
EBS Volumes (ephemeral) EBS encryption AWS-managed KMS key
Kubernetes Secrets etcd encryption EKS-managed envelope encryption
Kafka (Strimzi) TLS + optional encryption Strimzi-generated CA
Encryption in Transit
Connection Protocol Certificate Management
Client → ALB TLS 1.2+ ACM-managed certificate
ALB → Ingress TLS 1.2+ Let's Encrypt via cert-manager
Ingress → LogScale TLS 1.2+ humio-operator managed CA
LogScale → Kafka TLS 1.2+ Strimzi-generated certificates
LogScale → S3 HTTPS AWS-managed
kubectl → EKS TLS 1.2+ EKS-managed
Security Group Configuration
Security Group Ingress Rules Purpose
EKS Control Plane 443 from worker nodes API server access
Worker Nodes All from control plane Kubelet communication
ALB 443 from 0.0.0.0/0 Public HTTPS access
LogScale Pods 8080 from ALB SG HTTP traffic from load balancer
Kafka 9093 from worker nodes TLS client connections
Kubernetes Secrets Requiring DR Synchronization
Secret Contents Sync Method
humio-license LogScale license key Manual copy or External Secrets
<cluster>-s3-storage-encryption S3 encryption key Terraform remote state (automatic)
<cluster>-ca-keypair humio-operator CA Regenerated per cluster
OAuth/SAML secrets IdP credentials External Secrets Operator
SMTP credentials Email server credentials External Secrets Operator
Ingest tokens API tokens for log ingestion Manual copy or External Secrets
Audit and Compliance
Service Audit Capability Retention
AWS CloudTrail API calls to AWS services 90 days (default) or S3
EKS Control Plane Logs API server, authenticator, controller manager CloudWatch Logs
LogScale Audit Logs User actions, queries, configuration changes LogScale retention policy
Lambda Execution Logs DR failover invocations CloudWatch Logs (7 days default)
Security Best Practices Checklist

Before deploying the DR infrastructure, verify:

  • IAM roles follow least-privilege principle

  • S3 buckets have public access blocked

  • S3 bucket policies require HTTPS (aws:SecureTransport)

  • EKS cluster endpoint access is appropriately restricted

  • Kubernetes secrets are encrypted at rest (EKS default)

  • TLS certificates are valid and auto-renewing

  • CloudTrail is enabled for audit logging

  • EKS control plane logging is enabled

  • VPC flow logs are enabled (if required by compliance)

  • No hardcoded credentials in Terraform or Kubernetes manifests

Terraform State Security

  • Primary cluster Terraform state is readable by the secondary cluster for remote state data flow — ensure the S3 state bucket has strict IAM policies (read-only for secondary's Terraform role)

  • State files contain sensitive outputs (encryption keys, health check IDs) marked sensitive = true in Terraform but still stored in S3; backend encryption (SSE-KMS) is required

  • The primary_remote_state_config workspace and key values must be carefully guarded — incorrect values cause silent key mismatch and data loss on recovery