Data Isolation & Encryption
Overview
OpsWorker is designed as a multi-tenant platform with strong data isolation between organizations and encryption for all data at rest and in transit.
Tenant Isolation
Organization-Level Separation
Each organization's data is isolated at the database level:
- Investigation data, signals, and configurations are partitioned by organization
- No cross-organization data access is possible through the application
- Each organization has its own cluster tokens, integrations, and user accounts
Workspace Separation
Within an organization, workspaces provide additional separation:
- Users only see data from workspaces they're assigned to
- Admin users can see all workspaces within their organization
Encryption
At Rest
| Data Store | Encryption |
|---|---|
| Investigation data (DynamoDB) | AWS-managed encryption (AES-256) |
| Investigation artifacts (S3) | AWS-managed encryption (AES-256) |
| Configuration data | AWS-managed encryption |
In Transit
| Communication Path | Encryption |
|---|---|
| Alert webhooks → API Gateway | TLS 1.2+ |
| Agent ↔ SQS | TLS 1.2+ |
| Portal ↔ API | TLS 1.2+ |
| Internal service communication | TLS within AWS |
Credential Handling
- No cluster credentials stored: OpsWorker doesn't have SSH keys, kubeconfig, or cloud provider credentials for your clusters
- Cluster tokens: Used only for agent authentication; not Kubernetes credentials
- Integration tokens: Stored encrypted (Slack OAuth, GitHub tokens, Datadog API keys)
Next Steps
- Security & Compliance — Broader security architecture
- Agent Scope — What data leaves your cluster