Security overview
Last Updated: 2026-06-15
Consolidated security, compliance, and data-handling summary for Roadrunner SMB™ on AWS® Marketplace. For operational detail, see the FAQ — Security and permissions and Known Limitations.
Deployment model and data residency
- Roadrunner SMB deploys as a CloudFormation® stack in your AWS account and VPC.
- Customer file data remains on customer-owned Amazon EFS® in your account and Region.
- ACL metadata and cluster coordination state are stored in Amazon DynamoDB® in your account.
- RRSMB does not move SMB file contents to Roadrunner SMB–operated storage outside your account.
Encryption
| Layer | Protection |
|---|---|
| EFS at rest | AWS-managed encryption at rest on customer EFS file systems |
| Appliance ↔ EFS | TLS via stunnel (amazon-efs-utils) on NFS paths |
| Admin UI | HTTPS/TLS on NLB port 443 (certificate from ACM import or stack-scoped self-signed SAN) |
| SMB clients | SMB3 signing/encryption per client and Samba negotiation (see Known Limitations) |
| Secrets | Domain join and bootstrap credentials in AWS Secrets Manager |
Network access controls
| Path | Default posture | Parameter |
|---|---|---|
| Admin UI (HTTPS/443) | Internet-reachable by default | AdminIngressCidr — narrow to office/VPN/bastion for production |
| SMB (TCP/445) | Restricted to private/VPC client ranges by default | SmbClientCidr (default 10.0.0.0/8) — not public internet by default |
| Prometheus (TCP/9090) | Per-node metrics scrape | AdminCidr — not the Admin UI; do not confuse with AdminIngressCidr |
RRSMB nodes run in private subnets. Public subnets host the NLB for Admin HTTPS (and SMB listener with CIDR restrictions).
Production recommendation: After deploy, update the nested stack and set AdminIngressCidr to trusted administrator networks. See Quick Start — Harden for production and Restricting Admin UI access below.
Restricting Admin UI access
The Admin UI is served on HTTPS port 443 on the stack Network Load Balancer. Access is controlled by AdminIngressCidr, which sets the inbound TCP/443 rule on the NLB security group.
| Resource | Typical AWS name | Parameter | Port | Controls |
|---|---|---|---|---|
| NLB security group | rrsmb-<EnvironmentName>-nlb |
AdminIngressCidr |
443/TCP | Admin UI (customer-facing HTTPS) |
| Same NLB security group | rrsmb-<EnvironmentName>-nlb |
SmbClientCidr |
445/TCP | SMB on the NLB |
| Node security group | rrsmb-<EnvironmentName>-nodes |
AdminCidr |
9090, 22222 | Prometheus metrics and SSH ops on cluster nodes — not Admin UI |
Do not use AdminCidr for Admin UI. Admin traffic path: client → NLB:443 (TLS termination) → task 8888 (allowed from the NLB security group only, not from arbitrary internet CIDRs on nodes).
Recommended: CloudFormation (keeps stack as source of truth)
- Open CloudFormation → nested appliance stack (
…-InnerStack-…) → Update. - Set
AdminIngressCidrto trusted source CIDRs, for example:- Single admin IP:
203.0.113.10/32 - Corporate VPN egress:
198.51.100.0/24 - Private admin network (site-to-site VPN):
10.20.0.0/16
- Single admin IP:
- Complete the stack update. CloudFormation updates the NLB security group inbound rule on port 443.
Avoid hand-editing security group rules unless you accept drift from the stack.
Find in the AWS Console: EC2 → Security Groups → filter rrsmb- → select rrsmb-<EnvironmentName>-nlb → Inbound rules → 443.
Access patterns
| Pattern | Set AdminIngressCidr to |
Notes |
|---|---|---|
| Office / home IP | Your public /32 or ISP range |
Simple; update when IPs change |
| Corporate VPN | VPN egress CIDR | Connect via VPN, then open AdminUIUrl |
| Jump box (bastion) | Bastion public /32 (or trusted bastion subnet) |
Connect to bastion; browse from there or SSH port-forward to NLB:443 |
| Internal-only admin path | VPN or Direct Connect CIDR that can reach the NLB | NLB remains in public subnets; restriction is who may connect to 443 |
Jump box example: deploy or use a bastion in the VPC → set AdminIngressCidr to the bastion public /32 → SSH to the bastion → open AdminUIUrl in a browser on the bastion (or ssh -L 8443:<nlb-dns>:443 user@bastion and browse https://localhost:8443).
If the Admin UI is unreachable after hardening, confirm your current source IP is inside AdminIngressCidr, verify inbound 443 on rrsmb-…-nlb, and use AdminUIUrl from the parent stack Outputs (HTTPS, not task port 8888). See Support & Troubleshooting — Admin UI unreachable.
Identity and access
- SMB: Active Directory® only (Kerberos/NTLM). No guest/anonymous access.
- Admin UI: Domain administrators (when enabled) and break-glass Appliance Owner (
rrsmb-admin) from First-Time Setup. - AWS API calls: Instance and task IAM roles scoped to required services in your account — separate from the human deployer principal used at install.
Planning guide: Identity and permissions · Deployer permission matrix · AD domain join delegation
Audit and logging
- Security-relevant Admin actions emit immutable audit events to CloudWatch Logs (login, share changes, AD join, support mode, configuration changes).
- Support Reports offer redaction levels before download; reports are not uploaded automatically.
Billing metering and EFS scope
Marketplace ManagedStorageGBHours reflects the entire EFS filesystem size attached to a billable share, not just the share folder path. Mounting a large existing filesystem for a small share can produce significant metering. Plan before share creation — see Known Limitations — billing.
Compliance posture (GA)
| Topic | GA status |
|---|---|
| SOC 2 / ISO / HIPAA attestation by Roadrunner SMB LLC | Not offered as a vendor attestation package at GA; customers inherit AWS shared responsibility and their own compliance programs |
| Data residency | Customer-selected AWS Region; data stays in customer account |
| Marketplace security review | Product submitted through AWS Marketplace container-product process |
For procurement questionnaires, start with this page, the AWS Marketplace deployment summary, and architecture diagrams in the Architecture Whitepaper.