From 254d3a4adf054a1a99b3f8dca56beb680a8fe597 Mon Sep 17 00:00:00 2001 From: agustinoli Date: Wed, 1 Jul 2026 14:33:03 -0300 Subject: [PATCH 1/3] docs(dependency): clarify RDS at-rest encryption is opt-in (SLEAK-5875) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bot was answering that databases are encrypted with KMS at rest. storage_encrypted defaults to False in the RDS Pulumi module (core/apps/crm/modules/dependency/aws/rds.py) — it's only on if a KMS key is configured at creation time. Added that as a bullet next to the existing SSL/TLS note in ES, and ported the whole "Dependency Access" section to EN, which didn't have it at all. --- content/docs/en/project/dependency/index.mdx | 64 ++++++++++++++++++++ content/docs/es/project/dependency/index.mdx | 1 + 2 files changed, 65 insertions(+) diff --git a/content/docs/en/project/dependency/index.mdx b/content/docs/en/project/dependency/index.mdx index 8b8e20cc3..8232df7fa 100644 --- a/content/docs/en/project/dependency/index.mdx +++ b/content/docs/en/project/dependency/index.mdx @@ -106,3 +106,67 @@ To move forward choose between the following guides. [Memcached](/docs/project/dependency/memcached-aws). [OpenSearch](/docs/project/dependency/opensearch-aws). [SQS](/docs/project/dependency/sqs-aws). + +## Dependency Access + +Dependency access refers to the security and connectivity mechanisms that let your application's workloads interact securely with external dependencies. SleakOps automatically manages these access patterns to ensure secure communication between your services and their dependencies. + +### Access Management + +#### Automatic Service Account Configuration +When you create a dependency, SleakOps automatically: +- **Creates IAM roles** with appropriate permissions for the specific dependency type +- **Configures service accounts** in your Kubernetes namespace +- **Establishes secure connections** between your workloads and the dependency +- **Manages credentials** through Kubernetes secrets and IAM roles + +#### Network Security +- **VPC Integration**: Dependencies are created inside your project's VPC for secure network access +- **Security Groups**: Automatically configured to allow the traffic needed between services +- **Private Endpoints**: Dependencies use private endpoints when available to minimize exposure + +### Access Patterns + +#### Database Access +For database dependencies (MySQL, PostgreSQL, etc.): +- **Connection Strings**: Automatically generated and stored as Kubernetes secrets +- **Authentication**: Managed through IAM roles and database-specific credentials +- **SSL/TLS**: Encrypted connections are configured by default +- **At-Rest Encryption**: Not enabled by default. You can turn it on by configuring a KMS key when you create the dependency +- **Connection Pooling**: Optimized connection management for better performance + +#### Cache Access +For caching services (Redis, Memcached): +- **Endpoint Configuration**: Automatically configured in your application's environment +- **Authentication**: Secure access through IAM roles and service-specific credentials +- **Network Policies**: Access restricted to authorized workloads only + +#### Storage Access +For storage services (S3, etc.): +- **Bucket Policies**: Automatically configured with least-privilege access +- **IAM Permissions**: Service accounts receive only the permissions they need +- **Access Keys**: Managed through AWS IAM roles for greater security + +### Security Best Practices + +#### Principle of Least Privilege +- **Minimal Permissions**: Dependencies receive only the minimum required permissions +- **Resource-Specific Access**: Access is scoped to specific resources whenever possible +- **Regular Audits**: SleakOps provides tools to review and audit dependency access + +#### Credential Management +- **Automatic Rotation**: Credentials are rotated automatically when possible +- **Secure Storage**: All credentials are stored as Kubernetes secrets +- **No Hardcoded Secrets**: Applications access dependencies through environment variables + +:::info Access Monitoring +SleakOps provides monitoring and logging capabilities to track dependency access patterns, helping you identify potential security issues and optimize performance. +::: + +:::tip Troubleshooting Access Issues +If you run into access issues with dependencies: +1. Check the dependency's status in the SleakOps console +2. Confirm your workload has the correct service account +3. Review the IAM role permissions for the dependency +4. Verify network connectivity and security group configurations +::: diff --git a/content/docs/es/project/dependency/index.mdx b/content/docs/es/project/dependency/index.mdx index 3783b5588..cd0b2e36f 100644 --- a/content/docs/es/project/dependency/index.mdx +++ b/content/docs/es/project/dependency/index.mdx @@ -134,6 +134,7 @@ Para dependencias de base de datos (MySQL, PostgreSQL, etc.): - **Cadenas de Conexión**: Generadas automáticamente y almacenadas como secrets de Kubernetes - **Autenticación**: Gestionada a través de roles IAM y credenciales específicas de la base de datos - **SSL/TLS**: Las conexiones encriptadas se configuran por defecto +- **Encriptación at-rest**: No está habilitada por defecto. Podés activarla configurando una KMS key al crear la dependencia - **Connection Pooling**: Gestión optimizada de conexiones para mejor rendimiento #### Acceso a Cache From abf63ab7e518f9c34d1f6c702e01310319930662 Mon Sep 17 00:00:00 2001 From: agustinoli Date: Wed, 1 Jul 2026 14:53:56 -0300 Subject: [PATCH 2/3] docs(dependency): update at-rest encryption default per ae8c16d1 (SLEAK-5875) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous wording described the pre-06/2026 behavior. Since ae8c16d1 (RDS improvements), storageEncrypted defaults to true in the creation schema for MySQL/PostgreSQL/MariaDB/Oracle, and Aurora has always hardcoded storage_encrypted=True with no opt-out. Only dependencies created before that change may lack the flag — called that out instead of stating a blanket "not encrypted by default". --- content/docs/en/project/dependency/index.mdx | 2 +- content/docs/es/project/dependency/index.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/en/project/dependency/index.mdx b/content/docs/en/project/dependency/index.mdx index 8232df7fa..152437726 100644 --- a/content/docs/en/project/dependency/index.mdx +++ b/content/docs/en/project/dependency/index.mdx @@ -132,7 +132,7 @@ For database dependencies (MySQL, PostgreSQL, etc.): - **Connection Strings**: Automatically generated and stored as Kubernetes secrets - **Authentication**: Managed through IAM roles and database-specific credentials - **SSL/TLS**: Encrypted connections are configured by default -- **At-Rest Encryption**: Not enabled by default. You can turn it on by configuring a KMS key when you create the dependency +- **At-Rest Encryption**: Enabled by default on new dependencies — you can turn it off or configure your own KMS key when you create it. Aurora (PostgreSQL/MySQL) is always encrypted, with no way to opt out. If the dependency was created before this improvement shipped, check the specific case: it may not be encrypted - **Connection Pooling**: Optimized connection management for better performance #### Cache Access diff --git a/content/docs/es/project/dependency/index.mdx b/content/docs/es/project/dependency/index.mdx index cd0b2e36f..4b9d8181b 100644 --- a/content/docs/es/project/dependency/index.mdx +++ b/content/docs/es/project/dependency/index.mdx @@ -134,7 +134,7 @@ Para dependencias de base de datos (MySQL, PostgreSQL, etc.): - **Cadenas de Conexión**: Generadas automáticamente y almacenadas como secrets de Kubernetes - **Autenticación**: Gestionada a través de roles IAM y credenciales específicas de la base de datos - **SSL/TLS**: Las conexiones encriptadas se configuran por defecto -- **Encriptación at-rest**: No está habilitada por defecto. Podés activarla configurando una KMS key al crear la dependencia +- **Encriptación at-rest**: Habilitada por defecto en dependencias nuevas — podés desactivarla o configurar tu propia KMS key al crearla. Aurora (PostgreSQL/MySQL) siempre está encriptada, sin opción de desactivarlo. Si la dependencia ya existía antes de esta mejora, verificá el caso puntual: puede no estar encriptada - **Connection Pooling**: Gestión optimizada de conexiones para mejor rendimiento #### Acceso a Cache From db8fe9d85d380adbe7a2a78a46a908971e389dcd Mon Sep 17 00:00:00 2001 From: agustinoli Date: Wed, 1 Jul 2026 14:57:22 -0300 Subject: [PATCH 3/3] docs(dependency): split dense encryption bullet, fix missing EOF newline (SLEAK-5875) --- content/docs/en/project/dependency/index.mdx | 5 ++++- content/docs/es/project/dependency/index.mdx | 7 +++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/content/docs/en/project/dependency/index.mdx b/content/docs/en/project/dependency/index.mdx index 152437726..672407a72 100644 --- a/content/docs/en/project/dependency/index.mdx +++ b/content/docs/en/project/dependency/index.mdx @@ -132,7 +132,10 @@ For database dependencies (MySQL, PostgreSQL, etc.): - **Connection Strings**: Automatically generated and stored as Kubernetes secrets - **Authentication**: Managed through IAM roles and database-specific credentials - **SSL/TLS**: Encrypted connections are configured by default -- **At-Rest Encryption**: Enabled by default on new dependencies — you can turn it off or configure your own KMS key when you create it. Aurora (PostgreSQL/MySQL) is always encrypted, with no way to opt out. If the dependency was created before this improvement shipped, check the specific case: it may not be encrypted +- **At-Rest Encryption**: Enabled by default on new dependencies + - You can turn it off or configure your own KMS key when you create it + - Aurora (PostgreSQL/MySQL) is always encrypted, with no way to opt out + - If the dependency was created before this improvement shipped, check the specific case: it may not be encrypted - **Connection Pooling**: Optimized connection management for better performance #### Cache Access diff --git a/content/docs/es/project/dependency/index.mdx b/content/docs/es/project/dependency/index.mdx index 4b9d8181b..9b93d4f23 100644 --- a/content/docs/es/project/dependency/index.mdx +++ b/content/docs/es/project/dependency/index.mdx @@ -134,7 +134,10 @@ Para dependencias de base de datos (MySQL, PostgreSQL, etc.): - **Cadenas de Conexión**: Generadas automáticamente y almacenadas como secrets de Kubernetes - **Autenticación**: Gestionada a través de roles IAM y credenciales específicas de la base de datos - **SSL/TLS**: Las conexiones encriptadas se configuran por defecto -- **Encriptación at-rest**: Habilitada por defecto en dependencias nuevas — podés desactivarla o configurar tu propia KMS key al crearla. Aurora (PostgreSQL/MySQL) siempre está encriptada, sin opción de desactivarlo. Si la dependencia ya existía antes de esta mejora, verificá el caso puntual: puede no estar encriptada +- **Encriptación at-rest**: Habilitada por defecto en dependencias nuevas + - Podés desactivarla o configurar tu propia KMS key al crearla + - Aurora (PostgreSQL/MySQL) siempre está encriptada, sin opción de desactivarlo + - Si la dependencia ya existía antes de esta mejora, verificá el caso puntual: puede no estar encriptada - **Connection Pooling**: Gestión optimizada de conexiones para mejor rendimiento #### Acceso a Cache @@ -171,4 +174,4 @@ Si encuentras problemas de acceso con dependencias: 2. Confirma que tu carga de trabajo tiene la service account correcta 3. Revisa los permisos del rol IAM para la dependencia 4. Verifica la conectividad de red y configuraciones de security groups -::: \ No newline at end of file +:::