Support Access to devices

I have to provide information about Balena for a security audit, so I was reading your security page here.

" Support access

Device access is granted to a subset of balena employees to enable support and device troubleshooting. This access is controlled by the same SSH access mechanisms described above, and only SSH key access is permitted. Balena employees access devices only for user support and to maintain device state and uptime with permission from the customer.

If desired, this functionality can be disabled by removing the balena SSH public key from the device (or from the base image before flashing it onto the device). However, this will render the device inaccessible remotely for the purposes of support or repairs and updates to the base OS. Thus this should be done with extreme caution and only after careful consideration of the tradeoffs."

How is the private key stored? Is the private key on a different AWS account so that if the primary Balena AWS account has been compromised, the hostile agent would not be able to get access to it. Is there an access policy in place to limit access to a trusted subset of Balena employees?

How does one of your amazing engineers that are doing a support shift ssh into our devices after I enable support access?

I think this section is a bit out of date because it mentions nothing about the ability to “grant support access” for only a limited time window.

You all do a fantastic job on security and I really want to highlight that in my report.

Hi @taclog ,
I do not think I can provide all of the information you are asking for so I will have to forward your request to other engineers.
Meanwhile would you mind telling us what the security audit is for ?

That sounds good.

Contact @notnamed for details about the audit.

What I can say is that a client wants to be sure that our devices won’t turn into a bad headline in a newspaper one day.

The ssh key in question is loaded into an ssh agent in the service that acts as our device gateway. It is not associated with any AWS account, and only a very limited number of people have access to this key to load it into the service. This service then uses the access control system of the central api to determine if access is granted to a device or not. The time based support access is managed within the access control system of the api.
Does this clarify your questions?
Best regards,

Yes that will do nicely!