Browse docs
--- title: "Security Hardening" description: "Production security best practices for Aurora Enterprise deployments including network security, authentication, secrets management, rate limiting, and compliance." icon: "shield" ---
Overview
This guide covers security best practices for running Aurora Enterprise in production. Enterprise-specific features such as identity federation, audit immutability, and compliance controls provide additional hardening beyond OSS.
Network Security
- Deploy within a private VPC with no public exposure
- Use internal load balancers for inter-service communication
- Configure security groups to allow traffic only from trusted sources
- Enable TLS everywhere — use a reverse proxy (nginx, Envoy) for TLS termination
- For Kubernetes deployments, use the included PodSecurityContext and container SecurityContext (read-only root filesystem, non-root user, dropped capabilities)
Kubernetes Hardening
The Helm chart includes production security defaults:
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALLAuthentication
- Set a strong
AURORA_MASTER_KEYfor admin access (min 32 characters, alphanumeric + symbols) - Use managed API keys with scoped permissions for application access
- Integrate with OIDC providers (Okta, Entra, any OpenID Connect provider) for user authentication
- Rotate keys and secrets regularly
- Use short-lived sessions — Enterprise identity uses 15-minute access tokens with 7-day refresh tokens
Enterprise Identity
identity:
enabled: true
jwt_secret: "${IDENTITY_JWT_SECRET}"
admin_email: "admin@example.com"
admin_password: "${IDENTITY_ADMIN_PASSWORD}"The JWT secret must be at least 32 characters. Use environment variables or a secrets manager — never hardcode secrets in config files.
Secrets Management
- Never hardcode API keys in configuration files
- Use environment variables for local development:
${OPENAI_API_KEY} - For production, use a secrets manager: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
- For Kubernetes, use
existingSecretreferences instead of plaintext values in Helm values - Enable
OBSERVABILITY_EXPORTS_REDACT_HEADERS=trueto strip sensitive headers from exported telemetry
YAML Placeholder Gotcha
If ${OPENAI_API_KEY} appears in YAML but the environment variable is not set, the literal string remains. Aurora detects ${ in credential fields and removes the provider entirely. Always verify env vars are exported before starting the process, or supply defaults: ${OPENAI_API_KEY:-}.
Rate Limiting
Configure rate limits to protect against abuse:
- Per-key rate limits via managed API keys
- Global rate limits at the proxy / load balancer level
- Budget enforcement for cost control
- Circuit breaker per provider to prevent cascading failures
resilience:
circuit_breaker:
failure_threshold: 5
success_threshold: 2
timeout: 30sCompliance Controls
Enterprise adds compliance-specific security controls:
- Audit immutability — Prevent deletion or modification of audit records
- PII logging policy — Redact, hash, or block PII in log bodies
- Data residency — Declare and enforce data storage regions
- Evidence export — Periodic export of compliance evidence to secure storage
See Compliance for full configuration.
Monitoring and Alerting
- Enable Prometheus metrics for operational visibility
- Set up alerting on error rates, latency, and circuit breaker state
- Monitor cluster node heartbeats for node health
- Configure observability exports to send telemetry to your monitoring platform
Additional Hardening
- Logging — Enable audit logging for all configuration changes
- Updates — Keep Aurora updated to the latest version for security patches
- Dependency scanning — Regularly scan dependencies for vulnerabilities
- Access reviews — Use the
access_review_cadence_dayscompliance setting to schedule regular access audits
Related
- Compliance — Compliance controls and evidence export
- Sizing and Redundancy — Production deployment sizing
- Cluster and HA — Multi-node cluster security