Redpanda Cloud ensures the highest level of authentication for both users and services.

User authentication

Redpanda Cloud authenticates users directly using their email and password. Passwords are hashed (a one-way function that makes the original value unrecoverable, and effectively encrypted) and salted at rest using bcrypt.

Service authentication

Each Redpanda Cloud data plane runs its own dedicated agent, which authenticates and connects against the control plane over a single TLS 1.2 encrypted TCP connection.

Redpanda Cloud enables SASL/SCRAM authentication over TLS 1.2 to authenticate Kafka clients connecting to Redpanda clusters over the TCP endpoint or listener.

When connecting through Redpanda’s HTTP Proxy, authentication is done through an HTTP Basic Authentication header encrypted over TLS 1.2.

The following features use AWS and GCP IAM Policies to generate dynamic and short-lived credentials to interact with cloud provider APIs:

  • Data plane agent

  • Tiered Storage

  • Redpanda Console

  • Managed connectors

AWS and GCP IAM policies have constrained permissions so that each service can only access or manage its own data plane-scoped resources, following the principle of least privilege.