Enterprise Security

Security by Design

RedQueen is built with enterprise security requirements in mind. Your data never leaves your AWS account, and every request goes through multiple authentication layers.

Authentication Flow

Every request passes through multiple security checkpoints before reaching your data.

Slack User

Slack Verified

RQ Session Auth

Slack ID Binding

Group Access

RedQueen AI

IAM Roles

VPC Isolated

Lambda Proxy

Account Isolated

AWS Services

DynamoDB Audit

React Flow

Step 1

Slack Request Verified

Dual verification: signing secret + TLS certificate from Slack

Step 2

RQ Session Auth

Users must individually authenticate with RedQueen (beyond Slack access)

Step 3

Slack ID Binding

RQ account linked to Slack identity for verified user mapping

Step 4

Group Access

Role-based permissions control which features users can access

Security Features

Comprehensive protection at every layer of the stack.

Data Sovereignty

All data stays within your AWS account. No external API calls for sensitive data.

VPC Isolation

Private endpoints never exposed publicly. All traffic stays within VPC.

TLS Certificate Verification

X.509 certificate verifies Slack requests. Domain validation enforced against platform-tls-client.slack.com.

Per-User RQ Auth

Custom auth layer on top of Slack. Users must individually authenticate with RedQueen.

IAM Role Coverage

Full IAM coverage: VPC-isolated sources via Lambda Proxy, account-isolated via direct IAM roles.

Audit Trail

Complete logging of all queries and tool invocations to DynamoDB.

Data Sovereignty

Your Data Stays in Your Account

RedQueen deploys entirely within your AWS account. Sensitive monitoring data never crosses account boundaries.

VPC-isolated sources via Lambda Proxy
Account-isolated sources via direct IAM roles
No external API calls for sensitive queries
AI inference stays in your AWS region
Full audit trail in your DynamoDB

Attack Vectors Prevented

Data exfiltration via external APIs
Man-in-the-middle attacks (TLS verification)
Unauthorized user access (per-user RQ auth)
Session hijacking (expiry enforced)
Privilege escalation (group-based access)

Slack Request Verification

Every request from Slack is verified before processing.

Signing Secret

Slack signs each request with a shared secret. RedQueen verifies the signature before processing any command.

TLS Certificate

Slack provides a client certificate with each request. RedQueen validates it originates from the official Slack domain.