Deep-dive on the Next Gen Platform. Join the Webinar!

Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
Hide categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Working with Node.js
      • Troubleshooting Node.js Apps
      • Node.js Behavior in Heroku
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • PHP Behavior in Heroku
      • Working with PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Working with AI
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Security
  • Private Spaces
  • Shield Private Spaces

Shield Private Spaces

English — 日本語に切り替える

Last updated February 18, 2025

Table of Contents

  • Shield Features and Limitations
  • Creating Shield Private Space
  • Keystroke Logging
  • Private Space Logging

Shield Private Spaces include additional features for building high-compliance applications compared to Private Spaces. Shield Private Spaces come at an additional cost, and it is recommended that you consult your Solution Engineer or Account Executive to decide if a Shield Private Space is appropriate for your application requirements.

Shield Private Spaces are not yet available for Fir. Subscribe to our changelog to track the updates to the next generation of the Heroku platform.

Shield Features and Limitations

  • Only dynos of the shield type can run in a Shield Private Space. Shield dynos have an encrypted ephemeral file system and are available in small, medium, and large sizes.
  • Shield Private Spaces allow the use of shield Heroku Postgres plans. These databases allow storage of certain regulated data classes that cannot be stored in private Heroku Postgres plans.
  • Shield Private Spaces allow the use of shield (Shield Heroku Key-Value Store) plans. These instances have strict connection requirements, prevent external connections, and require encrypted clients.
  • Shield Private spaces allow the use of the shield Heroku Connect plan.
  • Shield Private Spaces allow the use of shield Apache Kafka on Heroku plans. These services allow streaming of certain regulated data classes that cannot be stored in private Apache Kafka on Heroku plans.
  • In a Shield Private Space, all input typed into an interactive heroku run session is logged to the app or space log stream. This allows you to meet specific compliance requirements for production access auditing.
  • Shield Private Spaces allow you to manage logging at the space level, configuring a single log drain for all applications in the space.
  • Shield Private Spaces enforce stricter requirements for TLS termination. TLS 1.0 cannot be used to connect to applications in a Shield Private Space.
  • Interactive dyno console sessions (heroku run bash) are encrypted with SSH, and registering an SSH key with your Heroku account is required to run interactive dyno sessions
  • heroku pg:psql and any other external connection to Shield Heroku Postgres databases (such as outside Postgres followers) is disabled, and so is downloading Postgres backups. This is to meet compliance requirements.
  • heroku redis:cli and any other external connection to Heroku Shield Key-Value Store instances is disabled. This is to meet compliance requirements.
  • Heroku Exec (SSH Tunneling) isn’t supported to meet compliance requirements

Creating Shield Private Space

To create a Shield Private Space using the Heroku CLI, specify the --shield option:

$ heroku spaces:create my-shield-space-name --shield --team my-team-name
Creating space my-space-name in team my-team-name... done
=== my-space-name
Team: my-team-name
Region:       virginia
State:        allocating

To enable Private Space Logging, specify a log drain URL when creating the space:

Private Space Logging cannot be enabled after a Private Space has been created.

$ heroku spaces:create my-shield-space-name --shield --team my-team-name --log-drain-url https://mylogdrain.com
Creating space my-space-name in team my-team-name... done
=== my-space-name
Team: my-team-name
Region:       virginia
State:        allocating

To create a one-off dyno, you must first add an SSH key to your user account (this only has to be done once):

$ heroku keys:add
Generating public/private rsa key pair.
...
$ heroku run bash
...
~ $

Keystroke Logging

Shield Private Spaces provide keystroke logging, which logs all user keystrokes typed into interactive heroku run sessions. This can be important for production access auditing when meeting certain regulatory requirements.

For example, a user might run the following command:

$ heroku run bash -a shield-space-app
Running bash on ⬢ shield-space-app... provisioning, run.5042 (Shield-M)
 !    Warning: Dynos can take up to a few minutes to be provisioned in Private Spaces.
$ echo hello
hello

Looking at the app or space logs, you will see corresponding output:

$ heroku logs -a shield-space-app
...
2018-08-21T20:32:04.318608+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: Creating session on run.4195 by user@example.com
2018-08-21T20:33:41.377121+00:00 heroku[run.4195]: State changed from provisioning to starting
2018-08-21T20:34:24.107283+00:00 heroku[run.4195]: State changed from starting to up
2018-08-21T20:34:33.792538+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: user-input="echo hello"

Private Space Logging

Private Space Logging is a feature only available to Shield Private Spaces that lets you configure log capture at the space level instead of the app level. See the Private Space Logging article for details.

Keep reading

  • Private Spaces

Feedback

Log in to submit feedback.

Working with Private Spaces Working with Private Spaces

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices