Shield Private Spaces
Last updated 01 October 2019
Shield Private Spaces include additional features for building high-compliance applications. Shield Private Spaces come at an additional cost, and it is recommended that you consult your Solution Engineer or Account Executive to decide if a Shield Private Space is appropriate for your application requirements.
- Only dynos of the
shieldtype can run in a Shield Private Space. Shield dynos have an encrypted ephemeral file system and are available in small, medium, and large sizes.
- Shield Private Spaces allow the use of
shieldHeroku Postgres plans. These databases allow storage of certain regulated data classes that cannot be stored in
privateHeroku Postgres plans.
- Shield Private spaces allow the use of the
shieldHeroku Connect plan.
- Shield Private Spaces allow the use of
shieldApache Kafka on Heroku plans. These services allow streaming of certain regulated data classes that cannot be stored in
privateApache Kafka on Heroku plans.
- In a Shield Private Space, all input typed into an interactive
heroku runsession is logged to the app or space log stream. This allows you to meet specific compliance requirements for production access auditing.
- Shield Private Spaces allow you to manage logging at the space level, configuring a single log drain for all applications in the space.
- Shield Private Spaces enforce stricter requirements for TLS termination. TLS 1.0 cannot be used to connect to applications in a Shield Private Space.
- Interactive dyno console sessions (
heroku run bash) are encrypted with SSH, and registering an SSH key with your Heroku account is required to run interactive dyno sessions
heroku pg:psqland any other external connection to Shield Heroku Postgres databases (such as outside Postgres followers) is disabled, and so is downloading Postgres backups. This is to meet compliance requirements.
Creating Shield Private Space
To create a Shield Private Space using the Heroku CLI, specify the
$ heroku spaces:create my-shield-space-name --shield --team my-team-name Creating space my-space-name in team my-team-name... done === my-space-name Team: my-team-name Region: virginia State: allocating
To enable Private Space Logging, specify a log drain URL when creating the space:
Private Space Logging cannot be enabled after a Private Space has been created.
$ heroku spaces:create my-shield-space-name --shield --team my-team-name --log-drain-url https://mylogdrain.com Creating space my-space-name in team my-team-name... done === my-space-name Team: my-team-name Region: virginia State: allocating
To create a one-off dyno, you must first add an SSH key to your user account (this only has to be done once):
$ heroku keys:add Generating public/private rsa key pair. ... $ heroku run bash ... ~ $
Shield Private Spaces provide keystroke logging, which logs all user keystrokes typed into interactive
heroku run sessions. This can be important for production access auditing when meeting certain regulatory requirements.
For example, a user might run the following command:
$ heroku run bash -a shield-space-app Running bash on ⬢ shield-space-app... provisioning, run.5042 (Shield-M) ! Warning: Dynos can take up to a few minutes to be provisioned in Private Spaces. $ echo hello hello
Looking at the app or space logs, you will see corresponding output:
$ heroku logs -a shield-space-app ... 2018-08-21T20:32:04.318608+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: Creating session on run.4195 by email@example.com 2018-08-21T20:33:41.377121+00:00 heroku[run.4195]: State changed from provisioning to starting 2018-08-21T20:34:24.107283+00:00 heroku[run.4195]: State changed from starting to up 2018-08-21T20:34:33.792538+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: user-input="echo hello"
Private Space Logging
Private Space Logging is a feature only available to Shield Private Spaces that lets you configure log capture at the space level instead of the app level. See the Private Space Logging article for details.