Skip to content

Deployment Security Best Practices

Fides offers several configuration options to flexibly manage a variety of deployments. This guide is meant to be used as a supplement to the configuration options, and provides a summary for best practices to ensure appropriate security methods when working with Fides systems.

Configuration recommendations

Fides Web Server

CriteriaRecommendationExample
Encryption-in-transitEnabled, secured with TLSv1.2 or TLSv1.3Deploy a load balancer for Fides listening on port 443.
Redirect HTTP requests to HTTPSEnabledDeploy a load balancer for Fides listening on port 443.
App Encryption KeyRandomly generated string, at least 32 charactersConfigured in a Fides configuration file.
CORS OriginsAllowed CORS origins do not include a wildcard, *Configured in a Fides configuration file.
OAuth Root Client SecretRandomly generated string, at least 20 charactersConfigured in a Fides configuration file.
Log LevelINFO or higher (lower logging levels (e.g. DEBUG or TRACE) may reveal secrets in the console logs)Configured in a Fides configuration file.
User ManagementOnly grant needed scopes per the principle of least privilege, access revoked when no longer neededConfigured via API or UI.
DSR Storage DestinationUses a remote storage location (e.g. S3)Configured via API or UI.

Privacy Center

CriteriaRecommendationExample
Encryption-in-transitEnabled, secured with TLSv1.2 or TLSv1.3Deploy a load balancer for the Privacy Center listening on port 443.
Redirect HTTP requests to HTTPSEnabledDeploy a load balancer for the Privacy Center listening on port 443.

PostgreSQL Database

CriteriaRecommendationExample
Encryption-in-transitEnabled, secured with TLSv1.2 or TLSv1.3Use a managed database platform, such as AWS RDS, to manage PostgreSQL. Configured to prevent public access.
Encryption-at-restEnabledUse a managed database platform, such as AWS RDS, to manage PostgreSQL. Configured to prevent public access.
Network AccessibilityNot accessible from the public InternetUse a managed database platform, such as AWS RDS, to manage PostgreSQL. Configured to prevent public access.
RoleSecured with the principle of least privilege (e.g. not a SUPERUSER)Use a managed database platform, such as AWS RDS, to manage PostgreSQL. Configured to prevent public access.

Redis Database

CriteriaRecommendationExample
Encryption-in-transitEnabled, secured with TLSv1.2 or TLSv1.3Use a managed Redis platform, such as AWS Elasticache, to manage Redis. Configured to prevent public access.
Encryption-at-restEnabledUse a managed Redis platform, such as AWS Elasticache, to manage Redis. Configured to prevent public access.
Network AccessibilityNot accessible from the public InternetUse a managed Redis platform, such as AWS Elasticache, to manage Redis. Configured to prevent public access.

Remote Storage

CriteriaRecommendationExample
Encryption-at-restServer-Side Encryption enabledDeploy an S3 bucket with encryption-at-rest enabled and a lifecycle rule.
Lifecycle ManagementAutomatically delete files older than 30 daysDeploy an S3 bucket with encryption-at-rest enabled and a lifecycle rule.
User ManagementAccess restricted to only the Fides service accountDeploy an S3 bucket with encryption-at-rest enabled and a lifecycle rule.