Security

Control plane in our cloud, data plane in yours. Least-privilege IAM, no access keys, no data egress.

Ownkube is designed so your code, data, and runtime stay inside your AWS account. The control plane in our cloud only receives configuration intent. The actual workloads, databases, logs, and traffic all live with you.

Trust model at a glance

Least-privilege IAM

A single scoped-down IAM role in your account. No access keys stored, no root credentials ever used.

No data egress

Application traffic, request bodies, database rows, and logs never leave your VPC.

Encryption everywhere

At rest with AWS KMS keys in your account. In transit with TLS on every hop.

Disconnect anytime

Remove the IAM role and your cluster keeps running. You own the VPC, the nodes, and the data.

Control plane vs data plane

  • Control plane (Ownkube) stores cluster metadata, deployment configuration, user accounts, billing. Never receives your application's traffic or data.
  • Data plane (your AWS account) runs every container, every database, every load balancer, every TLS certificate. All data stays here.

How the AWS connection works

When you connect your AWS account, a CloudFormation stack creates a single IAM role with:

  • A trust policy that only lets Ownkube's AWS account assume it, and only with a unique external ID generated for your account
  • Scoped-down permissions limited to what Ownkube needs: EKS, EC2, VPC, CloudFormation, S3 for state, IAM role-passing, ACM, Route 53, Elastic Load Balancing, ECR

No long-lived AWS credentials are stored in Ownkube's database. Every action uses short-lived STS credentials obtained by assuming the role with the external ID.

Data handling

Data typeWhere it livesWhat Ownkube sees
Application codeYour container registryNothing (Ownkube pulls it to your cluster)
Application trafficYour cluster's load balancerNothing
Request bodies, responsesYour clusterNothing
Database rowsInside your clusterNothing
Environment variablesYour cluster's secret store, encrypted at restEncrypted reference only
Container logsInside your clusterNothing
Deployment configOwnkube database (encrypted)Yes: image, env var keys (values encrypted), scale, probes

Environment variable values marked as Secret are encrypted at rest in Ownkube's database and masked everywhere in the UI. They're decrypted only when being pushed into the cluster's secret store, which itself is encrypted at rest with AWS KMS.

Compliance posture

Because everything runtime lives in your AWS account, your compliance scope mirrors whatever you already have with AWS.

  • SOC 2: audit scope stays on your AWS account and internal processes
  • HIPAA: keep your BAA with AWS directly; application data never leaves your account
  • GDPR: data residency is determined by the region you pick when you create a cluster
  • ISO 27001: scope stays under your organization's program

Ownkube itself maintains standard operational controls for the control plane. If you need documentation for your own audits, reach out.

Standard, non-proprietary infrastructure

Ownkube provisions standard AWS resources inside your VPC: EC2 instances, EKS clusters, Elastic Load Balancing, S3 buckets for state, ACM certificates, Route 53 records. No proprietary APIs, no custom runtimes.

If you disconnect Ownkube, all of those resources are standard AWS things you can continue to manage directly.

Disconnect anytime

Remove the IAM role (or delete the CloudFormation stack) and Ownkube loses access. Nothing gets torn down. Your clusters keep running, your databases keep serving traffic, your TLS keeps renewing. AWS handles all of that. Reconnecting is a three-minute flow.

"Disconnect" means Ownkube stops managing. It does not delete your resources, but it also means Ownkube can't help you if something goes wrong until you reconnect. For genuine decommissioning, delete the clusters first from the dashboard while still connected.

Security practices


Don't see a feature you need? Email support@ownkube.io. Ownkube is shaped by the teams using it and we ship what our users ask for.

On this page