This document outlines the security requirements and best practices for implementing cloud integrations with the Brev Compute SDK. If the cloud provider has a different security model, please indicate in the providers SECURITY.md file.
Brev depends on SSH server functionality and SSH key-based authentication for instance access.
- SSH Server: All instances must have an SSH server running and accessible
- SSH Key Authentication: Instances must support SSH key-based authentication
- Key Injection: The SDK must support passing SSH public keys during instance creation
- Secure Access: SSH access provides the primary method for secure instance management and user access
Implementation Requirements:
- SSH server (OpenSSH or equivalent) must be installed and running on all instances
- systemd must be running and accessible via systemctl command
- SSH key pairs must be supported for authentication
- Public keys must be injectable during instance provisioning
- SSH access must be available through the configured firewall rules
All instances must implement a "deny all inbound, allow all outbound" security model by default.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Instance Security Model β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Instance Boundary β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Inbound Traffic β β β
β β β β β β
β β β β DENIED BY DEFAULT β β β
β β β β’ All ports blocked β β β
β β β β’ All protocols blocked β β β
β β β β’ All source IPs blocked β β β
β β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Outbound Traffic β β β
β β β β β β
β β β β
ALLOWED BY DEFAULT β β β
β β β β’ All ports allowed β β β
β β β β’ All protocols allowed β β β
β β β β’ All destination IPs allowed β β β
β β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Implementation Requirements:
- Default State: All inbound traffic must be blocked by default
- Explicit Allow: Inbound access must be explicitly granted through
FirewallRuleresources - Outbound Freedom: Outbound traffic should be unrestricted by default
- Security Groups: Use cloud provider security groups or equivalent (AWS Security Groups, GCP Firewall Rules, Azure NSGs) for network isolation
- Default Deny: Configure security groups with default deny rules for all inbound traffic
Instances within the same cluster can communicate with each other while maintaining external inbound restrictions.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cluster Security Model β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Cluster Boundary β β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ β β
β β β Instance A β β Instance B β β β
β β β β β β β β
β β β β
Internal βββββΊβ β
Internal β β β
β β β Communication β β Communication β β β
β β β β β β β β
β β βββββββββββββββββββ βββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β External Inbound β β β
β β β β β β
β β β β STILL DENIED β β β
β β β β’ All external ports blocked β β β
β β β β’ All external protocols blocked β β β
β β β β’ All external source IPs blocked β β β
β β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Cluster Communication Requirements:
- Internal Allow: Instances within the same cluster can communicate on all ports and protocols
- External Deny: External inbound traffic remains blocked by default
- Cluster Isolation: Different clusters are isolated from each other unless explicitly configured
- Shared Security Groups: Instances in the same cluster share security group rules for internal communication
- Cross-Cluster Access: Inter-cluster communication requires explicit firewall rules
- Data at Rest: All persistent storage must be encrypted
- Data in Transit: All network communications must be encrypted (TLS 1.2+)
- Encryption Algorithms: Use industry-standard encryption algorithms (AES-256, etc.)
- Implement default "deny all inbound" firewall rules
- Support explicit firewall rule creation/mutation through SDK
- Enable encryption for all persistent storage
- Document security configurations
For security issues, vulnerabilities, or questions:
- Security Email: [email protected]
- Responsible Disclosure: Please report vulnerabilities through our security email
Note: This document is a living document and will be updated as security requirements evolve. All cloud integrations must comply with these requirements to ensure the security and integrity of the Brev Compute SDK ecosystem.