可以仅将heroku应用程序限制为访问heroku postgresql数据库吗? [英] Can access to a heroku postgresql DB be restricted to it's heroku app ONLY?

问题描述

由于安全顾问的建议，我最近将应用程序从heroku迁移到了Amazon-ec2.但是，他并不十分了解heroku，而且疑问仍然存在.

I've recently migrated an application from heroku to amazon-ec2 because of recomendations from a security consultant. Yet, he didn't know deeply heroku and the doubt remained.

是否只能限制应用程序访问Heroku PostgreSQL数据库?

Can access to a Heroku PostgreSQL DB be restricted for it to be accessed only by the application?

您会为安全性至关重要的应用推荐Heroku吗?

Would you recommend Heroku for security critical applications?

推荐答案

这是一个看似复杂的问题，因为受限制以便只能由应用程序访问"的概念定义不明确.如果您的最终目标只是尽可能地确保数据的安全性，那么Heroku，AWS和物理服务器处于锁定和密钥状态，则涉及成本效益分析，而不仅仅是对数据库的访问方式.

This is a deceptively complex question because the idea of "restricted so that it can be accessed only by the application" is ill-defined. If your ultimate goal is simply to keep your data as secure as possible, then Heroku vs. AWS vs. physical servers under lock and key involves some cost-benefit analysis that goes beyond just how your database can be accessed.

Heroku通过身份验证限制数据库访问.您在数据库和应用程序之间共享一个秘密(用户名/密码).具有该机密的任何人都可以访问数据库.为了便于保守秘密，所有数据库访问都应通过SSL进行，也应该通过SSL进行.

Heroku limits database access via authentication. You share a secret (username/password) between the database and the application. Anyone who has that secret can access the database. To facilitate keeping the secret secret, all database access is or should be over SSL.

除身份验证外，还有其他限制访问的方法，但是许多方法与基于云的方法不兼容.另外，其中许多要求您对服务器的环境进行更多控制，并且您在这方面承担的责任越多，问题完全独立于谁可以访问数据库中的postgres端口的机会就越大，您陷入困境

There are other ways to restrict access in addition to authentication, but many of them are incompatible with a cloud-based approach. Also, many of them require you to take much more control over the environment of your servers, and the more responsibility you have on that front, the bigger the chance that issues totally separate from who can hit the postgres port on your database will sink you.

直接使用AWS而不是通过类似Heroku这样的Paas提供程序的优势在于您可以自己配置所有内容.缺点是您必须自己配置所有内容.我建议您仅在拥有一支合格且专心的sysadmin团队来配置，监视和更新您的环境的情况下，才通过托管服务使用AWS.阅读Heroku的安全策略页面.您是否正在做至少此事以保护自己在AWS上的配置中的服务器?如果没有，那么您可能会遇到比数据库周围有多少冗余层更大的问题.

The advantage in using AWS directly instead of through a paas provider like Heroku is that you can configure everything yourself. The disadvantage is that you have to configure everything yourself. I would recommend you use AWS over a managed service only if you have a team of qualified and attentive sysadmins to configure, monitor and update your environment. Read Heroku's security policy page. Are you doing at least that much to protect your servers in your own configuration on AWS? If not, then you might have bigger problems than how many layers of redundancy are in place around your database.

这篇关于可以仅将heroku应用程序限制为访问heroku postgresql数据库吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！