Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Security hardening guide

This document provides an overview of security features and guidance for hardening the security of Charmed PostgreSQL deployments, including setting up and managing a secure environment.

Environment

The environment where Charmed PostgreSQL operates can be divided into two components:

  1. Cloud
  2. Juju

Cloud

Charmed PostgreSQL can be deployed on top of several clouds and virtualization layers:

Cloud Security guides
OpenStack OpenStack Security Guide
AWS Best Practices for Security, Identity and Compliance, AWS security credentials
Azure Azure security best practices and patterns, Managed identities for Azure resource
GCP Google security overview

Juju

Juju is the component responsible for orchestrating the entire lifecycle, from deployment to Day 2 operations. For more information on Juju security hardening, see the Juju security page and the How to harden your deployment guide.

Cloud credentials

When configuring cloud credentials to be used with Juju, ensure that users have correct permissions to operate at the required level. Juju superusers responsible for bootstrapping and managing controllers require elevated permissions to manage several kinds of resources, such as virtual machines, networks, storages, etc. Please refer to the links below for more information on the policies required to be used depending on the cloud.

Cloud Cloud user policies
OpenStack N/A
AWS Juju AWS Permission, AWS Instance Profiles, Juju on AWS
Azure Juju Azure Permission, How to use Juju with Microsoft Azure
GCP Google Cloud’s Identity and Access Management, GCE role recommendations, Google GCE cloud and Juju

Juju users

It is very important that Juju users are set up with minimal permissions depending on the scope of their operations. Please refer to the User access levels documentation for more information on the access levels and corresponding abilities.

Juju user credentials must be stored securely and rotated regularly to limit the chances of unauthorized access due to credentials leakage.

Applications

In the following sections, we provide guidance on how to harden your deployment using:

  1. Operating system
  2. Security upgrades
  3. Encryption
  4. Authentication
  5. Monitoring and auditing

Operating system

Charmed PostgreSQL and Charmed PgBouncer run on top of Ubuntu 22.04. Deploy a Landscape Client Charm to connect the underlying VM to a Landscape User Account to manage security upgrades and integrate Ubuntu Pro subscriptions.

Security upgrades

Charmed PostgreSQL and Charmed PgBouncer operators install pinned versions of their respective snaps to provide reproducible and secure environments.

New versions (revisions) of the charmed operators can be released to update the operator’s code, workloads, or both. It is important to refresh the charms regularly to make sure the workloads are as secure as possible.

For more information on upgrading Charmed PostgreSQL, see the How to upgrade PostgreSQL and How to upgrade PgBouncer guides, as well as the respective Release notes for PostgreSQL and PgBouncer.

Encryption

To utilise encryption at transit for all internal and external cluster connections, integrate Charmed PostgreSQL with a TLS certificate provider. Please refer to the Charming Security page for more information on how to select the right certificate provider for your use case.

Encryption in transit for backups is provided by the storage service (Charmed PostgreSQL is a client for an S3-compatible storage).

For more information on encryption, see the Cryptography explanation page and How to enable encryption guide.

Authentication

Charmed PostgreSQL supports the password-based scram-sha-256 authentication method for authentication between:

  • External connections to clients
  • Internal connections between members of cluster
  • PgBouncer connections

For more implementation details, see the PostgreSQL documentation.

Monitoring and auditing

Charmed PostgreSQL provides native integration with the Canonical Observability Stack (COS). To reduce the blast radius of infrastructure disruptions, the general recommendation is to deploy COS and the observed application into separate environments, isolated from one another. Refer to the COS production deployments best practices for more information or see the How to guides for PostgreSQL monitoring, alert rules, and tracing for practical instructions.

PostgreSQL logs are stored in /var/snap/charmed-postgresql/common/var/log/postgresql within the postgresql container of each unit. It’s recommended to integrate the charm with COS, from where the logs can be easily persisted and queried using Loki/Grafana.

Additional Resources

For details on the cryptography used by Charmed PostgreSQL, see the Cryptography explanation page.

Previous Architecture Next Cryptography

Last updated a minute ago. Help improve this document in the forum.