Skip to content

Security

Outbound sits in your egress path, so we hold ourselves to the standard you’d apply to any network vendor: collect the minimum, scope every permission, and make all of it auditable from your side.

Gateways report flow metadata to Outbound’s ingest API over HTTPS:

  • Source private IP (mapped to an application/instance/pod name)
  • Destination IP and destination domain
  • Protocol and ports
  • Byte and packet counts, connection timestamps
  • Gateway host metrics (CPU, memory, disk, network throughput of the gateway instance itself)
  • Packet payloads. The sensor parses at most the first 3 packets of a new TCP connection, in memory, solely to extract the destination domain from the TLS SNI extension or the HTTP Host header. Payload bytes are not stored on the gateway and not transmitted. There is no TLS interception or decryption — encrypted content stays encrypted and unread.
  • Credentials or secrets. The telemetry API key lives in your Secrets Manager; Outbound’s control plane writes it there and gateway components read it via IAM.
  • All control-plane access goes through a single cross-account role you create, with every permission enumerated and justified in the AWS connector reference.
  • The role’s trust policy requires both CloudPhilos’s AWS account and your unique External ID — the AWS-recommended defense against confused-deputy attacks.
  • Destructive permissions are scoped: instance termination and modification only apply to resources tagged cloudphilos-gateway, secret updates only to the Outbound API-key ARN, and iam:PassRole only to the gateway instance role for the EC2 service.
  • Every action Outbound takes in your account appears in your CloudTrail, attributable to the assumed role session. You can audit us at any time — and revoke us at any time by deleting the role.
  • Built from a hardened, minimal Amazon Linux image, rebuilt and patched regularly by CloudPhilos.
  • No inbound access from the internet: its security group admits traffic only from your VPC’s CIDR, and there is no SSH — administrative access is via AWS Systems Manager, which logs to your CloudTrail.
  • Runs in your account, subject to your VPC Flow Logs, GuardDuty, and every other control you already have.
  • Gateway → Outbound telemetry: HTTPS (TLS), authenticated with the per-tenant API key.
  • Dashboard and API access: HTTPS, with user authentication supporting MFA (TOTP) and role-based access (administrator and read-only roles).
  • Tenant data is logically isolated per customer within Outbound’s platform, and administrative actions in the Outbound dashboard are audit-logged.

The in-cluster sensor reads pod metadata only (names, labels, IPs) and needs a single AWS permission (secretsmanager:GetSecretValue on the Outbound API-key secret) via IRSA. It has no privileged containers, no host networking requirements, and does not process traffic. See the Kubernetes connector.

If you believe you’ve found a security issue in Outbound — the platform, a gateway image, or the sensor — email security@sue.nl. We acknowledge reports within one business day, keep you informed through remediation, and credit reporters who wish to be credited. Please don’t test against other tenants’ resources.