Heroku Vs. AWS: 2023 Data Security Comparison
Heroku and AWS are two of the common choices available for cloud hosting. Heroku is a Platform as Service (PaaS) provider that helps startups develop business applications with simplicity and without needing DevOps expertise in the team. Not only does it provide resources automatically, but you can deploy your applications with just a single click. Heroku has been a top choice for developers for years as it speeds up development cycles by providing fully managed infrastructure and application deployment.
AWS is an Infrastructure as Service (IaaS) provider which offers computing power, database, storage, content delivery, and many other services.
Although Heroku is ideal for startups because it provides tremendous simplicity and time-saving, when your application starts growing, and its architecture becomes complex, then challenges related to DevOps, data security, and scalability start to jump in.
The article below will provide a brief comparison between AWS and Heroku regarding data security.
Morgan PerryApril 7, 2022 · 5 min read
[Last updated on 07/26/2023]
Whenever you provision a database on Heroku, it is publicly accessible from any IP address. All you need to connect to the Heroku database instance is a valid connection URL:
psql "postgres://heroku_user:[email protected]:5432/database_name"
To make your database private, you will need to go for private and shield tiers of Heroku plans which are much more expensive as compared to the standard database tiers. This is contrary to AWS RDS, where you will get a database on a private subnet even in the free tier.
In terms of encryption of data at rest, Heroku’s hobby tier (Hobby Dev is free while Hobby Basic is $9 per month) does not support encryption at rest. A big disadvantage to small startups who are concerned about their data security.
Talking about encryption in transit, SSL connection is enforced in Heroku, so you cannot connect with an SSL mode explicitly disabled:
*psql "postgres://heroku_user:[email protected]:5432/database_name?sslmode=disable"*# *psql: error: could not connect to server: FATAL:*
Contrary to AWS RDS, you cannot use SSL “verify-full” mode because Heroku does not offer a CA certificate for databases instances outside the Private Space tiers (which are extremely expensive). It means that whenever you directly connect to the Heroku database using “psql” or “heroku pg:psql” commands, you’re vulnerable to a Man in the Middle attack. On Heroku, the only solution is to use a private space tier for your database, which is very expensive.
If you connect Heroku App to an AWS RDS instance, you will be forced to use the RDS database’s public URL. Not only that, you would want to whitelist the Heroku App’s IP for inbound traffic to AWS RDS. But we all know that using a public URL for database connection is a bad idea. So to connect your Heroku App to RDS Instance securely, you will need to restrict Postgresql Connection to a private IP from Heroku. Unfortunately, private IP on Heroku is only available if you have Heroku Private Spaces or buy a dedicated IP Add On (both options are very expensive), which will deprive you of all the cost benefits you gained by preferring RDS over Heroku Postgres.
AWS has a clear advantage over Heroku if your business requires HIPAA and SOC compliance. AWS has built compliance with many existing standards, including HIPAA, FedRAMP, SOC 2, and FIPS 140-2. You don’t have to take extra measures to make your applications compliant with these standards on AWS.
To achieve compliance for HIPAA and SOC on Heroku, the standard options on Heroku will not suffice. You will need to go for Heroku enterprise, which is highly costly. The cost-effective standard containers on Heroku will not be sufficient for your compliance needs; you will need to go for the Heroku shield, which is much more expensive and might not be suitable for startups.
Need to become HIPAA compliant? Read our article on what to consider on AWS to be HIPAA compliant in 2022.
Consider a scenario where you have a Canadian client, and there is a strict requirement that all the data be stored inside the Canada region. Heroku does not offer data centers in all the countries, and Canada is one of them. In this example of Canada, AWS RDS is a better option because it offers a data center in Canada. If you need to host your application (and database) in the Canada region, all your data will be hosted in the nearest data center, one of the USA data centers. Another related concern is that data of some Heroku add-ons are stored in the US even though you have hosted the application database in some other region, e.g., the EU. That might be a concern for GDPR compliance. So even if your application and database are provisioned in the Heroku Europe region, its backups, Dataclips, and logs will still be stored in the United States. That might be an issue if your data is sensitive or critical.
Most of the challenges mentioned above lie in the way Heroku operates. AWS is far ahead of Heroku regarding data security challenges, especially for startups with limited financial resources. Find below how AWS provides a remedy to the above concerns:
- You do not need to buy advanced or expensive tier infrastructure/services to accomplish your compliance needs. AWS has built-in compliance (https://aws.amazon.com/compliance/ ) in its services; this is contrary to Heroku, where you will need to move to enterprise-level expensive plans such as Private space and Heroku Shield. Take the example of HIPAA, you can use even the free tier T2.Micro EC2 instance in AWS to build a HIPAA compliant application. But on Heroku, you cannot use their free tier Hobby dynos to build a HIPAA compliant app.
- Encryption at rest is present with no extra cost. Whether it is EBS volume encryption or RDS database-level encryption, there is no restriction to buying a specific plan to achieve data encryption.
- Even with the basic and free plan on AWS, you can provision your RDS database on a private subnet, in its own VPC. That means it will be accessible to only the resource in the same VPC. This feature is available only in high-end expensive plans in Heroku.
- Static IP is mandatory if you only want to whitelist the inbound traffic to your database for specific IPs. In AWS, you do not need to pay anything to get a dedicated static IP. Elastic IP is free in AWS as long as it is in use.
Security is of utmost importance for any organization, and moving to a cloud provider has its own security challenges. As the organizations grow, their needs to manage security also grow. Any loophole in any area of security (whether data security or user’s security, etc.) can negatively impact your business. As discussed above, moving to AWS has a lot of benefits regarding data security. However, the challenge is to have skilled resources in your team who have the required knowledge to manage the services on AWS efficiently. A modern solution like Qovery enables startups to overcome these challenges by providing automatic infrastructure and application management on their own AWS account. Qovery is the best of both worlds, as it combines the simplicity of Heroku and the technical depth of AWS.
Recommended article: What Makes Qovery Secure?