Security, privacy, risk, and compliance for AlloyDB for PostgreSQL

This document provides an overview of various controls that support the security of AlloyDB for PostgreSQL on Google Cloud and links to further information on how to configure the controls. Security controls such as network security options, policies, and access management can also help you address your business risks and meet the privacy and regulatory requirements that apply to your business.

The security, privacy, risk, and compliance for AlloyDB for PostgreSQL use a shared responsibility model. For example, Google secures the infrastructure that AlloyDB for PostgreSQL and other Google Cloud services run on, and provides you with the capabilities that help you manage access to your services and resources. For more information about how we secure the infrastructure, see the Google infrastructure security design overview.

AlloyDB architecture

The following diagram shows the components of the AlloyDB architecture.

AlloyDB architecture.

The components include the following:

  • AlloyDB instances deploy across multiple zones to enable high availability and resiliency.
  • An application in Google Cloud or in another environment that connects to the primary instance of AlloyDB. The diagram shows the application running in the same Google Cloud project as AlloyDB, though you can also run the application in another project in your Google Cloud organization.
  • In a hybrid environment, Cloud VPN or Cloud Interconnect can provide access to resources on your corporate network.
  • A service perimeter that is created using VPC Service Controls. VPC Service Controls lets you control the movement of data between Google services or resources and set up context-based perimeter security.

For information about the AlloyDB endpoint, see AlloyDB API. By default, this endpoint is not a publicly routable endpoint and can't receive inbound traffic from public networks. To enable AlloyDB instances to receive inbound traffic over public networks, see Connect using public IP.

For information about AlloyDB connectors, see Application connectivity.

Provisioned services

When you get started with AlloyDB, you enable the following APIs:

For more information, see Quickstart: Create and connect to a database.

Authentication for Google Cloud management

Administrators and developers who create and manage AlloyDB instances must authenticate to Google Cloud to verify their identity and access privileges. You must set up each user with a user account that is managed by Cloud Identity, Google Workspace, or an identity provider that you've federated with Cloud Identity or Google Workspace. For more information, see Overview of identity and access management.

After you create the user accounts, implement security best practices such as single sign-on and 2-step verification. For more authentication best practices, see Manage identity and access.

Identity and Access Management

To manage Identity and Access Management (IAM) roles at scale for your administrators and developers, consider creating separate functional groups for your various database user roles and applications. Grant the IAM roles or permissions that are required to manage AlloyDB to your groups. When you assign roles to your groups, follow the principle of least privilege and other IAM security best practices. For more information, see Best practices for using Google Groups.

For more information about setting up IAM, see IAM overview.

When clients use IAM database authentication to access AlloyDB, you can also use IAM to control their access to AlloyDB. For more information about the IAM roles that are required for AlloyDB, see IAM roles and permissions for AlloyDB.

If you use the Auth Proxy or the Language Connectors (as described in Application connectivity), you can use IAM to control which application workloads can connect to AlloyDB. For more information about using IAM with the Auth Proxy, see Choose the IAM principal and prepare it for authorization. To use automatic IAM authentication with the AlloyDB Language Connectors, see Manage IAM authentication.

Default service accounts and service agents

A service account is a special type of non-interactive Google Account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Because AlloyDB is a fully-managed service, Google manages your AlloyDB service account on your behalf. When you enable AlloyDB, an AlloyDB service account is created for your project (service-PROJECT_NUMBER-gcp-sa-alloydb-iam.gserviceaccount.com). AlloyDB resources such as the PostgreSQL server use this service account to run.

Service agents are the IAM roles and permissions that some Google Cloud services use so that they can access your resources and act on your behalf. The managed AlloyDB service account uses the IAM privileges of the AlloyDB service agent.

Policies for AlloyDB

The predefined organization policies that apply to AlloyDB define whether AlloyDB can use customer-managed encryption keys (CMEK) to encrypt your data. Configure AlloyDB to use CMEK if your regulatory obligations require you to have greater control over the keys used to encrypt AlloyDB data at rest. The policies include the following:

  • Restrict which services can create resources without CMEK (constraints/gcp.restrictNonCmekServices)
  • Restrict which projects can supply Cloud KMS CryptoKeys for CMEK (constraints/gcp.restrictCmekCryptoKeyProjects)

For more information, see Use predefined organization policies.

You can use custom organization policies to configure restrictions on AlloyDB at a project, folder, or organization level. If you enable public IP addresses, we recommend that you configure a custom policy constraint to enforce who can use the public IP address. To refine your policies, you can add AlloyDB instance fields (for example, enable public IP address or enable outbound public IP address) to the policy. For more information, see Use custom organization policies.

Network security

By default, Google applies default protections to data in transit for all Google Cloud services, including AlloyDB instances that are running on Google Cloud. For more information about default network protections, see Encryption in transit.

AlloyDB supports TLS 1.3 encryption for communication between the database instance and clients. AlloyDB automatically generates the server certificate for this connection. To use client certificates for mutual authentication, you must configure an AlloyDB Language Connector (which uses mTLS authentication) or the AlloyDB Auth Proxy.

If required by your organization, you can configure additional security controls to further protect traffic on the Google Cloud network and traffic between the Google Cloud network and your corporate network. Consider the following:

  • AlloyDB supports VPC Service Controls. VPC Service Controls let you control the movement of data in Google services and set up context-based perimeter security. For more information on setting up VPC Service Controls, see Configure VPC Service Controls.

    • If you enable public IP addresses, use AlloyDB Language Connectors and a custom organization policy to control who has access to AlloyDB instances.
  • In Google Cloud, consider Shared VPC as your network topology. Shared VPC provides centralized network configuration management while maintaining separation of environments.

  • Use Cloud VPN or Cloud Interconnect to maximize security and reliability for the connection between your corporate network and Google Cloud. For more information, see Choosing a Network Connectivity product.

For more information about network security best practices, see Implement zero trust and Decide the network design for your Google Cloud landing zone.

Application connectivity

You can secure the connection between applications and AlloyDB using the following methods:

The following diagram shows the connectivity options.

AlloyDB connectivity options.

For more information about options for setting up connections to services without an external IP address, see Private access options for services.

Database authentication

AlloyDB provides the following authentication methods for database clients:

  • Built-in database authentication using a username and password. Authorization is determined using GRANT or REVOKE statements. For more information, see Manage AlloyDB user roles.
  • IAM authentication using IAM principals such as users and service accounts. The AlloyDB Language Connectors can automate the process for IAM authentication. For more information, see the AlloyDB Language Connectors overview. IAM authentication has the following benefits:
    • Unified access control: IAM centralizes access control across all Google Cloud resources, including databases. Unified access control means consistent policies and easier user and role management.
    • Reduced credential management: Users don't need separate database passwords. IAM authentication uses their existing Google Account credentials.
    • Short-lived tokens: IAM authentication uses short-lived access tokens, reducing the risk of leaked passwords or compromised credentials.

Connectors

You can use the AlloyDB Auth Proxy or an AlloyDB Language Connector to configure an encrypted connection to the database client. The AlloyDB Auth Proxy is a client-side proxy that transparently upgrades non-TLS connections to TLS 1.3 connections. The Language Connectors are client libraries that connect to a proxy server on the AlloyDB cluster. Both connectors use IAM to authorize the connection and protect the connection using mTLS. Optionally, you can configure passwordless authentication instead of IAM authentication.

If you use the Auth Proxy, review the Best practices for using the AlloyDB Auth Proxy.

Data protection and privacy

This section describes how AlloyDB protects your data and privacy of that data.

AlloyDB encrypts your data that is stored in your cluster (for example, the instance name, instance configuration, table contents, row names, and custom functions) using default encryption. This data can only be accessed by AlloyDB instances.

You can enable customer-managed encryption keys (CMEK) to encrypt your cluster data at rest. With CMEK, keys are stored in Cloud KMS as software-protected keys or hardware-protected keys (with Cloud HSM), but they are managed by you. To provision encryption keys automatically, you can enable Cloud KMS Autokey. When you enable Autokey, a developer can request a key from Cloud KMS, and the service agent provisions a key that matches the developer's intent. With Cloud KMS Autokey, keys are available on demand, are consistent, and follow industry-standard practices.

In addition, AlloyDB supports Cloud External Key Manager (Cloud EKM), which lets you store your keys in an external key manager outside of Google Cloud. If you are using Cloud EKM, Key Access Justifications adds a field to your Cloud EKM requests that lets you view the reason for each request. With select external key management partners, you can automatically approve or deny these requests, based on the justification.

Where data is processed

AlloyDB supports data residency for that data that is stored in your cluster. Data residency lets you choose the regions that you want your data to be stored in using the Resource Location Restriction policy constraint. You can use Cloud Asset Inventory to verify the location of AlloyDB resources.

If you require data residency for data in use, you can configure Assured Workloads. For more information, see Assured Workloads and data residency.

Data privacy

To help protect the privacy of your data, AlloyDB conforms to the Common Privacy Principles.

AlloyDB acts as a data processor for Customer Data. Google also acts as a data controller for information such as billing and account management and abuse detections. For more information, see Google Cloud Privacy Notice.

Audit logging

AlloyDB writes the following types of audit logs:

  • Admin Activity audit logs: Includes ADMIN WRITE operations that write metadata or configuration information.
  • Data Access audit logs: Includes ADMIN READ operations that read metadata or configuration information. Also includes DATA READ and DATA WRITE operations that read or write user-provided data.
  • System Event audit logs: Identifies automated Google Cloud actions that modify the configuration of resources.

For more information, see AlloyDB audit logging.

In addition, to meet regulatory requirements, you can use the pgAudit extension to enable an audit trail of database commands. pgAudit extension logs include details on what commands were performed, when the commands were performed, and who performed the commands.

Access transparency

You can use Access Approval and Access Transparency to control access to AlloyDB instances by Google personnel who support the service. Access Approval lets you approve or dismiss requests for access by Google employees. Access Transparency logs offer near real-time insight when Google Cloud administrators access the resources.

Monitoring and incident response

You can use a variety of tools to help you monitor the performance and security of AlloyDB. Consider the following:

  • Use Logs Explorer to view and analyze event logs and create custom metrics and alerts.
  • Use the AlloyDB system insights dashboard or Cloud Monitoring dashboard to monitor the performance of AlloyDB instances. For more information, see Monitor instances.
  • Enable the pgAudit extension to audit AlloyDB operations (such as commands and queries performed on an AlloyDB instance). These logs include PostgreSQL database logs and container logs for dataplane agents.
  • Configure Security Command Center to detect SQL vulnerabilities and threats to AlloyDB (such as privilege escalations). You can set up alerts and playbooks for your security operations center (SOC) analysts so that they can respond to findings.

Certifications and compliance

Meeting your regulatory requirements is a shared responsibility between you and Google.

AlloyDB has received many certifications, including the following:

For more information about Google Cloud compliance with different regulatory frameworks and certifications, see the compliance resource center.

AlloyDB also supports Assured Workloads, which lets you apply controls to specific folders in your Google organization that support regulatory, regional, or sovereign requirements. For more information, see Supported products by control package.

What's next