Security Overview
ZoneHero Security: A Technical Overview
At ZoneHero, we believe in transparent security. This document outlines our security architecture, focusing on aspects you can verify and validate yourself. We’ll show you exactly how we protect your infrastructure, what permissions we require, and how we maintain strict isolation between our control plane and your traffic.
Control Plane Communication
Our control plane manages load balancer configuration while maintaining strict data minimization principles. At no point does your load balancer traffic go through our Control Plane or any part of our infrastructure. Here’s exactly what data flows between your load balancers and our control plane:
Data Sent to the Control Plane
- AWS Account ID (from IAM authentication)
- Cluster name and Instance ID
- Basic usage statistics:
- Request counts
- Data volumes
- Number of connections
- Used for routing decisions and billing
Data Received from Control Plane
- Availability Zone weights
- List of upstream servers from your configured target groups
- TLS certificates for use with TLS-enabled listeners
- No customer traffic ever passes through our control plane
Connection Security
- All communication is authenticated using AWS IAM credentials, and restricted to the same AWS region
- TLSv1.3 enforced on our endpoints
- DNSSEC enabled on our zonehero.cloud domain and all its sub-domains
Verifiable Security Measures
IAM Permissions and Access Control
We require minimal, explicitly defined permissions in your AWS account. You can verify our access limitations through our CloudFormation template:
# Example from our IAM template
- Effect: Allow
Action:
- ec2:*
- autoscaling:*
Resource: '*'
Condition:
StringEquals:
aws:ResourceTag/ZoneHeroType: hlb
The permissions we require are explicitly defined in a single, auditable CloudFormation template. Here’s exactly what we use them for:
Infrastructure Management:
- Create, start, and stop EC2 instances
- Manage Auto Scaling groups
- Configure launch templates
- All modifying/destructive actions restricted to resources tagged with
ZoneHeroType: hlb
- Cannot modify or destroy your existing infrastructure
Load Balancer Operations:
- List instances in your specified target groups
- Access TLS certificates under
/hlb/*
in Secrets Manager - Push metrics to CloudWatch (restricted to ZoneHero namespace)
DNS Management:
- Maintain Route53 records only in zones you specify
- No access to other DNS records or zones
Key verification points:
- All permissions defined in a single, small and auditable CloudFormation template
- All infrastructure actions restricted by resource tags, except:
- ec2:Create*
- ec2:RunInstances
- autoscaling:Create*
- Role assumption requires a specific external ID
- Scoped access to secrets and DNS zones
To verify these permissions:
- Review the CloudFormation template we provide
- Check CloudTrail logs for actions taken by our role
- Verify that modifying non-HLB resources fails
Network Isolation
Your traffic never leaves your VPC. Here’s how you can verify this:
Load Balancer Location:
- Load balancers run entirely in your AWS account
- Verify through AWS Console or CLI:
aws ec2 describe-instances --filters "Name=tag:ZoneHeroType,Values=hlb"
Traffic Flow:
- Client → Your VPC → Your Applications
- Use VPC Flow Logs to verify traffic patterns
- Configuration auditable by connecting to HLB nodes using AWS Systems Manager Session Manager
Control Plane Communication:
- Only management traffic leaves your VPC
- Always regional (no cross-region traffic)
- Optional AWS PrivateLink support
- Verify through security group rules
Infrastructure Separation
We maintain clear boundaries between our management infrastructure and your resources:
Account Separation:
- Your load balancers run in your account
- Our control plane runs in our account
- Verify through AWS resource tags and ownership
Regional Isolation:
- HLB instances communicate with our endpoint in the same region only
- No cross-region data transfer
- Verify through AWS API calls and endpoints
Authentication:
- AWS IAM-based authentication
- Instance identity verification
- Monitor through CloudTrail logs
Security Best Practices
Recommended Security Group Configuration
For your load balancer instances, we recommend setting as strict as possible security groups.
You can reuse existing security groups from your application load balancers.
TLS Certificate Management
Two options for certificate management:
Self-managed:
- Store in AWS Secrets Manager under
/hlb/*
- Required format:
fullchain.pem
: Certificate chainprivkey.pem
: Private key
- Rotate using provided Lambda template or your own solution
- Store in AWS Secrets Manager under
Enterprise PrivateLink:
- Complete private network path
- No public endpoint exposure
- Contact us for setup details
Auditing and Verification
You can monitor our activities through standard AWS tools:
CloudTrail Logs:
- Track all API calls made by our role
- Monitor resource creation/modification
- Verify permission usage
VPC Flow Logs:
- Monitor network traffic patterns
- Verify traffic isolation
- Track control plane communication
AWS Config:
- Track resource configurations
- Monitor security group changes
- Verify tag compliance
Enterprise Security Features
For enterprise customers requiring additional security measures:
AWS PrivateLink:
- Private network connectivity
- No public endpoint exposure
- Complete network isolation
Custom IAM Configurations:
- Additional permission restrictions
- Custom tag requirements
- Specific resource limitations
Security Boundaries
Clear understanding of security responsibilities:
We are responsible for:
- Control plane security
- Load balancer provisioning
- Configuration distribution
- Certificate distribution
You retain control of:
- VPC networking
- Security groups
- Certificate management
- DNS configuration
- Traffic patterns
Verification Commands
Here are some useful commands to verify our security measures:
# List all HLB-managed resources
aws ec2 describe-instances --filters "Name=tag:ZoneHeroType,Values=hlb"
# Check IAM role permissions
aws iam get-role --role-name hlb/service-role
# Monitor CloudTrail events
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=hlb/service-role
Security Questions?
If you have specific security requirements or questions:
- Technical details: Refer to our GitLab Home Page documentation
- Enterprise features: Contact our
- Security concerns: Email
Conclusion
Our security model is built on AWS best practices and designed for transparency. You maintain control of your infrastructure while we provide the load balancing service. All security measures are verifiable through standard AWS tools and practices.
Remember: The most secure system is one you can verify yourself. We encourage you to review our permissions, monitor our activities, and maintain security best practices in your environment.