Security Hardening Reference
Infrastructure security is an important topic that organizations scrutinize to stay compliant with the latest regulatory and legal requirements. Understanding where and how sensitive information is stored is of paramount importance to implement robust security measures and safeguard against unauthorized access, data breaches, or malicious attacks in your organization.
The specific details shown in the diagram may vary depending on how the system is deployed.
This document provides a reference explaining where sensitive information in API7 Enterprise is, how it is stored, and how it is protected.
Deployment Models (AWS)
Below are the deployment models for hosting API7 Enterprise in AWS.
Client-Managed Deployment
In the client-managed deployment model, both the control plane (CP) and data plane (DP) are deployed in your AWS environment.
Hybrid-Managed Deployment
In the hybrid-managed deployment model, the control plane (CP) is hosted in API7’s AWS environment, while the data plane (DP) is hosted in your AWS environment.
Data Storage
- Business data is stored in the database.
- Gateway metrics are stored in Prometheus.
- Gateway access logs and error logs are stored locally on each gateway instance by default, but they can also be forwarded to external logging services if needed.
Specifically, the database stores the following types of business data:
- Gateway configuration data: Entities that define gateway behavior, such as services, routes, consumers, SSL certificates, and other core resources.
- Management and operational data: Administrative and governance-related information, including control plane administrators, RBAC policies, SSO authentication configuration, and audit logs.
Control Plane (CP)
Database Connection Credentials
Database connection credentials are stored in the control plane's configuration files. They can also be stored in environment variables and injected into the configuration files.
Plugin Resources
Sensitive plugin fields in plugin configurations are specified in encrypted_fields in the plugin schema. Information in these fields is encrypted with AES256 and saved to the database.
The keyring used to encrypt sensitive information differs by gateway group and it is also encrypted before being saved to the database.
SSL Resources
For SSL resources, metadata is saved in plaintext while certificates are AES-encrypted and saved to the database.
When viewing SSL resources using API or the dashboard, you can only see the metadata.
Dashboard Connections
Dashboard connections use TLS by default. If no certificates are configured, API7 uses self-signed certificates.
Audit
Sensitive information, such as passwords, is masked in audit logs before the logs are saved to the database. Any additional alteration to audit logs is forbidden.
User Credentials
User credentials, including username and password, as well as an access token, are salted and PBKDF2 encrypted before being saved to the database.
Encryption Algorithms
In cases where the field should not be reversible, the hashing algorithm would be PBKDF2 with salt.
In cases where the field should be reversible, the encryption algorithm would be AES.
Data Plane (DP)
Between clients and API7 Gateway, as well as API7 Gateway and upstream services, you can configure TLS or mTLS to secure the communication.
Communication Between DP and CP
Communication between the DP and CP can be secured using mTLS, through which long polling, heartbeat, and Prometheus metrics traffic is transmitted. The CP stores the server and CA certificates. The DP (each gateway instance) stores the client certificate.