Upstash has a set of features to help you secure your data. We will list them
and at the end of the section we will list the best practices to improve
security of database.
TLS is an optional feature which you can enable while creating your database.
Once TLS is enabled, the data transfer between the client and database is
encrypted. We strongly recommend enabling TLS for production databases.
With Redis ACL, you can improve security by restricting a user’s access to
commands and keys, so that untrusted clients have no access and trusted clients
have just the minimum required access level to the database. Moreover it
improves operational safety, so that clients or users accessing Redis are not
allowed to damage the data or the configuration due to errors or mistakes. Check
Redis ACL documentation. If you
are using the REST API, you can still benefit from ACLs as explained
here
When you create a database, a secure password is generated. Upstash keeps the
password encrypted. Use environment variables or your provider’s secret
management system (e.g. AWS Secrets Manager, Vercel Secrets) to keep them. Do
not use them hardcoded in your code. If your password is leaked, reset the
password using Upstash console.
Client side encryption can be used to encrypt data through application
lifecycle. Client-side encryption is used to help protect data in use. This
comes with some limitations. Operations that must operate on the data, such as
increments, comparisons, and searches will not function properly. You can write
client-side encryption logic directly in your own application or use functions
built into clients such as the Java Lettuce cipher codec. We have plans to
support encryption in our SDKs.
We can restrict the access to your database to a set of IP addresses which will
have access to your database. This is quite a strong way to secure your
database, but it has some limitations. For example you can not know the IP
addresses in serverless platforms such AWS Lambda and Vercel functions.
mTLS ensures two-way authentication where both client and server authenticate
each other at the same time in the authentication protocol. No client can assess
the database without the certificate. The user downloads uses the certificate
for their client.
VPC Peering enables you to connect to Upstash from your own VPC using private
IP. Database will not be accessible from the public network. Database and your
application can run in the same subnet which also minimizes data transfer costs.
VPC Peering is only available for Pro/Enterprise databases.
AWS Private link provides private connectivity between Upstash Database and your
Redis client inside AWS infrastructure. Private link is only available for
Pro/Enterprise databases.