Security Overview

ZoneHero Security: A Technical Overview

At ZoneHero, we believe in transparent security. This document outlines our security architecture, focusing on aspects you can verify and validate yourself. We’ll show you exactly how we protect your infrastructure, what permissions we require, and how we maintain strict isolation between our control plane and your traffic.

Control Plane Communication

Our control plane manages load balancer configuration while maintaining strict data minimization principles. At no point does your load balancer traffic go through our Control Plane or any part of our infrastructure. Here’s exactly what data flows between your load balancers and our control plane:

Data Sent to the Control Plane

  • AWS Account ID (from IAM authentication)
  • Cluster name and Instance ID
  • Basic usage statistics:
    • Request counts
    • Data volumes
    • Number of connections
    • Used for routing decisions and billing

Data Received from Control Plane

  • Availability Zone weights
  • List of upstream servers from your configured target groups
  • TLS certificates for use with TLS-enabled listeners
  • No customer traffic ever passes through our control plane

Connection Security

  • All communication is authenticated using AWS IAM credentials, and restricted to the same AWS region
  • TLSv1.3 enforced on our endpoints
  • DNSSEC enabled on our zonehero.cloud domain and all its sub-domains

Verifiable Security Measures

IAM Permissions and Access Control

We require minimal, explicitly defined permissions in your AWS account. You can verify our access limitations through our CloudFormation template:

# Example from our IAM template
- Effect: Allow
  Action:
    - ec2:*
    - autoscaling:*
  Resource: '*'
  Condition:
    StringEquals:
      aws:ResourceTag/ZoneHeroType: hlb

The permissions we require are explicitly defined in a single, auditable CloudFormation template. Here’s exactly what we use them for:

  1. Infrastructure Management:

    • Create, start, and stop EC2 instances
    • Manage Auto Scaling groups
    • Configure launch templates
    • All modifying/destructive actions restricted to resources tagged with ZoneHeroType: hlb
    • Cannot modify or destroy your existing infrastructure
  2. Load Balancer Operations:

    • List instances in your specified target groups
    • Access TLS certificates under /hlb/* in Secrets Manager
    • Push metrics to CloudWatch (restricted to ZoneHero namespace)
  3. DNS Management:

    • Maintain Route53 records only in zones you specify
    • No access to other DNS records or zones

Key verification points:

  • All permissions defined in a single, small and auditable CloudFormation template
  • All infrastructure actions restricted by resource tags, except:
    • ec2:Create*
    • ec2:RunInstances
    • autoscaling:Create*
  • Role assumption requires a specific external ID
  • Scoped access to secrets and DNS zones

To verify these permissions:

  1. Review the CloudFormation template we provide
  2. Check CloudTrail logs for actions taken by our role
  3. Verify that modifying non-HLB resources fails

Network Isolation

Your traffic never leaves your VPC. Here’s how you can verify this:

  1. Load Balancer Location:

    • Load balancers run entirely in your AWS account
    • Verify through AWS Console or CLI:
    aws ec2 describe-instances --filters "Name=tag:ZoneHeroType,Values=hlb"
  2. Traffic Flow:

    • Client → Your VPC → Your Applications
    • Use VPC Flow Logs to verify traffic patterns
    • Configuration auditable by connecting to HLB nodes using AWS Systems Manager Session Manager
  3. Control Plane Communication:

    • Only management traffic leaves your VPC
    • Always regional (no cross-region traffic)
    • Optional AWS PrivateLink support
    • Verify through security group rules

Infrastructure Separation

We maintain clear boundaries between our management infrastructure and your resources:

  1. Account Separation:

    • Your load balancers run in your account
    • Our control plane runs in our account
    • Verify through AWS resource tags and ownership
  2. Regional Isolation:

    • HLB instances communicate with our endpoint in the same region only
    • No cross-region data transfer
    • Verify through AWS API calls and endpoints
  3. Authentication:

    • AWS IAM-based authentication
    • Instance identity verification
    • Monitor through CloudTrail logs

Security Best Practices

For your load balancer instances, we recommend setting as strict as possible security groups.

You can reuse existing security groups from your application load balancers.

TLS Certificate Management

Two options for certificate management:

  1. Self-managed:

    • Store in AWS Secrets Manager under /hlb/*
    • Required format:
      • fullchain.pem: Certificate chain
      • privkey.pem: Private key
    • Rotate using provided Lambda template or your own solution
  2. Enterprise PrivateLink:

    • Complete private network path
    • No public endpoint exposure
    • Contact us for setup details

Auditing and Verification

You can monitor our activities through standard AWS tools:

  1. CloudTrail Logs:

    • Track all API calls made by our role
    • Monitor resource creation/modification
    • Verify permission usage
  2. VPC Flow Logs:

    • Monitor network traffic patterns
    • Verify traffic isolation
    • Track control plane communication
  3. AWS Config:

    • Track resource configurations
    • Monitor security group changes
    • Verify tag compliance

Enterprise Security Features

For enterprise customers requiring additional security measures:

  1. AWS PrivateLink:

    • Private network connectivity
    • No public endpoint exposure
    • Complete network isolation
  2. Custom IAM Configurations:

    • Additional permission restrictions
    • Custom tag requirements
    • Specific resource limitations

Security Boundaries

Clear understanding of security responsibilities:

We are responsible for:

  • Control plane security
  • Load balancer provisioning
  • Configuration distribution
  • Certificate distribution

You retain control of:

  • VPC networking
  • Security groups
  • Certificate management
  • DNS configuration
  • Traffic patterns

Verification Commands

Here are some useful commands to verify our security measures:

# List all HLB-managed resources
aws ec2 describe-instances --filters "Name=tag:ZoneHeroType,Values=hlb"

# Check IAM role permissions
aws iam get-role --role-name hlb/service-role

# Monitor CloudTrail events
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=hlb/service-role

Security Questions?

If you have specific security requirements or questions:

  • Technical details: Refer to our GitLab Home Page documentation
  • Enterprise features: Contact our
  • Security concerns: Email

Conclusion

Our security model is built on AWS best practices and designed for transparency. You maintain control of your infrastructure while we provide the load balancing service. All security measures are verifiable through standard AWS tools and practices.

Remember: The most secure system is one you can verify yourself. We encourage you to review our permissions, monitor our activities, and maintain security best practices in your environment.