Security
Enforce security for Unity Virtual Private Cloud in Amazon Web Services
Read time 4 minutesLast updated 6 days ago
Identity and access management (IAM)
Deployment requires anAdministratorAccessImportant
Don't use the AWS account root user as part of the deployment or operation of the solution.
IAM policies
Claim | Required | Description |
|---|---|---|
cluster_autoscaler | Optional | Allows the cluster autoscaler to scale Amazon Elastic Kubernetes Service (EKS) nodes. |
flexlm_logs | Optional | Allows the FlexLM instance to create log groups and to stream logs to Amazon CloudWatch. |
mongo_ebs | Optional | Allows the MongoDB instance to attach and detach Amazon Elastic Block Storage (EBS) volumes. |
mongo_logs | Optional | Allows the MongoDB instance to create log groups and to stream logs to CloudWatch. |
read_config_secret | Optional | Allows the external-secrets deployment to communicate with AWS Secrets Manager secret to read the configuration. |
IAM roles
Claim | Required | Description |
|---|---|---|
cloudwatch_observability | Optional | Allows the EKS CloudWatch Agent to send logs to CloudWatch. |
cluster_autoscaler | Optional | Allows the cluster autoscaler to scale EKS nodes. |
dlm_lifecycle_role | Optional | Allows for MongoDB snapshots to be taken and stored. |
ebs_csi_driver | Optional | Allows EKS to create persistent EBS volumes. |
efs_csi_driver | Optional | Allows EKS to create persistent Amazon Elastic File System (EFS) volumes. |
eks_cluster | Optional | Required if the EKS cluster is enabled. |
external_secrets | Optional | Required if the EKS cluster is enabled. Used for reading configuration secrets. |
flexlm | Optional | Required for FlexLM licensing. |
services_node_group | Optional | Required if the EKS cluster is enabled. |
Networking
The deployed security groups require a configuration that allows ingress from only the specified required resources:- IP address ranges, in Classless Inter-Domain Routing ranges (CIDR) notation
- Ports
- Protocols
- The EKS cluster
- Amazon Relational Database Service (RDS) Postgres
- The Amazon Elastic Load Balancers
Variable | Description |
|---|---|
internal_ingress_cidrs | When you create a security group, this variable restricts network access between the resources. The default value is |
allowed_ingress_cidrs | When using Traefik with the LoadBalancer configuration, you might want to allow access to the Frontend Dashboard. To allow traffic from specific ranges IP addresses for the security group, modify this variable with a list of allowed IP address ranges in CIDR notation. |
Public access
To expose the private resources to the public internet while limiting access, the default deployment process provisions these resources:-
An external load balancer, to be used as ingress.
To disable the loader balancer functionality, change the Terraform variable traefik_service_type from to
LoadBalancer.NodePort - A list of allowed IP address ranges in Classless Inter-Domain Routing ranges (CIDR) notation, to limit access. To manage this list, use the Terraform variable allowed_ingress_cidrs.
Secrets
AWS Secrets Manager stores all application secrets and infrastructure secrets in a single secret. The name of the secret is configured in the Terraform variable aws_secretsmanager_secret_config_name. The default value isasset-solutions/configurationKey name | Description |
|---|---|
automation_connectionstring_db | An Npgsql Postgres connection string for the automation database. |
image_pull_secrets_dockerconfigjson | Credentials for pulling from the Unity Virtual Private Cloud container registry. |
keycloak_mini_usf_clientsecret | A client secret key that the mini-usf uses service to communicate with Keycloak. During rotation, first update this key from the Keycloak admin console. |
linksharing_service_connection_string | The Npgsql Postgres connection string for the link-sharing database. |
mongo_db_connection_string | The connection string that is required for communicating with MongoDB. |
postgres_server | The hostname for the Postgres server. This key is taken from the RDS Postgres instance. |
postgres_user | The username for the Postgres instance. |
postgres_user_password | The password for the Postgres instance. |
redis_connection_host | The hostname for the Elasticache Redis instance. |
redis_connection_host_and_port | The hostname and the port for the Elasticache Redis instance. |
redis_connection_password | The Elasticache Redis password. |
uvcs_authorization | The authorization header that is required for communicating with Unity Version Control (UVCS). |
workspace_service_connection_strings | The Npgsql Postgres connection string for the workspace database. |
Data storage
Sensitive data
The following data stores contain customer data:Data Store | Description |
|---|---|
Storage backend (UVCS) | Used to store customer assets |
Elasticsearch | Used for search in asset metadata |
Elasticache Redis | Used to cache the temporary assets and metadata |
MongoDB | Used to store asset metadata |
RDS Postgres | Used to persist the Keycloak users, roles, sessions, and admin events
Used to store Unity Cloud Automation events |
Encryption
The following AWS resources use encryption with keys that AWS manages. AWS Key Management Service (KMS) generates and encrypts the data key that resources use for encryption.Amazon Simple Storage Service
The process uses Amazon Simple Storage Service (Amazon S3) to store the Terraform backend. Amazon S3 uses the default server-side encryption (SSE-S3).Amazon Elastic File System
The process uses EFS to persist volumes within Kubernetes. EFS uses the AES-256 encryption algorithm to secure data and metadata at rest. The process uses the Container Storage Interface (CSI) Driver for Amazon EFS to encrypt data in transit.Amazon Elastic Block Storage
The process uses EBS for persistent volumes within the following machines, including snapshots:- Kubernetes machines
- Amazon Elastic Compute Cloud (EC2) machines that are deployed outside of Kubernetes