Shield Private Spaces
Last updated February 18, 2025
Table of Contents
Shield Private Spaces include additional features for building high-compliance applications compared to Private Spaces. Shield Private Spaces come at an additional cost, and it is recommended that you consult your Solution Engineer or Account Executive to decide if a Shield Private Space is appropriate for your application requirements.
Shield Private Spaces are not yet available for Fir. Subscribe to our changelog to track the updates to the next generation of the Heroku platform.
Shield Features and Limitations
- Only dynos of the
shieldtype can run in a Shield Private Space. Shield dynos have an encrypted ephemeral file system and are available in small, medium, and large sizes. - Shield Private Spaces allow the use of
shieldHeroku Postgres plans. These databases allow storage of certain regulated data classes that cannot be stored inprivateHeroku Postgres plans. - Shield Private Spaces allow the use of
shield(Shield Heroku Key-Value Store) plans. These instances have strict connection requirements, prevent external connections, and require encrypted clients. - Shield Private spaces allow the use of the
shieldHeroku Connect plan. - Shield Private Spaces allow the use of
shieldApache Kafka on Heroku plans. These services allow streaming of certain regulated data classes that cannot be stored inprivateApache Kafka on Heroku plans. - In a Shield Private Space, all input typed into an interactive
heroku runsession is logged to the app or space log stream. This allows you to meet specific compliance requirements for production access auditing. - Shield Private Spaces allow you to manage logging at the space level, configuring a single log drain for all applications in the space.
- Shield Private Spaces enforce stricter requirements for TLS termination. TLS 1.0 cannot be used to connect to applications in a Shield Private Space.
- Interactive dyno console sessions (
heroku run bash) are encrypted with SSH, and registering an SSH key with your Heroku account is required to run interactive dyno sessions heroku pg:psqland any other external connection to Shield Heroku Postgres databases (such as outside Postgres followers) is disabled, and so is downloading Postgres backups. This is to meet compliance requirements.heroku redis:cliand any other external connection to Heroku Shield Key-Value Store instances is disabled. This is to meet compliance requirements.- Heroku Exec (SSH Tunneling) isn’t supported to meet compliance requirements
Creating Shield Private Space
To create a Shield Private Space using the Heroku CLI, specify the --shield option:
$ heroku spaces:create my-shield-space-name --shield --team my-team-name
Creating space my-space-name in team my-team-name... done
=== my-space-name
Team: my-team-name
Region: virginia
State: allocating
To enable Private Space Logging, specify a log drain URL when creating the space:
Private Space Logging cannot be enabled after a Private Space has been created.
$ heroku spaces:create my-shield-space-name --shield --team my-team-name --log-drain-url https://mylogdrain.com
Creating space my-space-name in team my-team-name... done
=== my-space-name
Team: my-team-name
Region: virginia
State: allocating
To create a one-off dyno, you must first add an SSH key to your user account (this only has to be done once):
$ heroku keys:add
Generating public/private rsa key pair.
...
$ heroku run bash
...
~ $
Keystroke Logging
Shield Private Spaces provide keystroke logging, which logs all user keystrokes typed into interactive heroku run sessions. This can be important for production access auditing when meeting certain regulatory requirements.
For example, a user might run the following command:
$ heroku run bash -a shield-space-app
Running bash on ⬢ shield-space-app... provisioning, run.5042 (Shield-M)
! Warning: Dynos can take up to a few minutes to be provisioned in Private Spaces.
$ echo hello
hello
Looking at the app or space logs, you will see corresponding output:
$ heroku logs -a shield-space-app
...
2018-08-21T20:32:04.318608+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: Creating session on run.4195 by user@example.com
2018-08-21T20:33:41.377121+00:00 heroku[run.4195]: State changed from provisioning to starting
2018-08-21T20:34:24.107283+00:00 heroku[run.4195]: State changed from starting to up
2018-08-21T20:34:33.792538+00:00 app[session-df7030f1-c075-4074-aa4e-c0c8581d2ab7]: user-input="echo hello"
Private Space Logging
Private Space Logging is a feature only available to Shield Private Spaces that lets you configure log capture at the space level instead of the app level. See the Private Space Logging article for details.