Security of the Cloud

The security of the AWS cloud is our top priority. AWS provides a data center and network architecture designed to meet the security requirements of the most sensitive enterprises.
However, security is a shared responsibility between AWS and Vittoria.io. The shared responsibility model below describes this notion by the terms cloud security and security in the cloud:

Cloud security
AWS is responsible for protecting the infrastructure that runs AWS services in the AWS cloud. For Amazon EKS, AWS is responsible for the Kubernetes control plane, which includes the control plane nodes and the etcd database. Third-party auditors regularly test and verify security effectiveness as part of AWS compliance programs.

The following is a non-exhaustive list of compliance points for the services used by Vittoria.io within AWS:

C5 (Catalog of cloud computing compliance controls):

Amazon CloudWatch

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

AWS Shield

Elastic Load Balancing (ELB)

 

CCCS (Canadian Cyber Security Centre):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic Container Registry (ECR)

Amazon Elastic Container Service (ECS) (inclut ECS Anywhere)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS) (inclut EKS Anywhere)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing [fonction d’EC2]

CISPE (Data Protection Code of Conduct of the Association of Cloud Infrastructure Service Providers in Europe (CISPE)):

Amazon CloudWatch

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

 CPSTIC (Catalogue of products and services of the Centre National de Cryptologie (CCN) STIC (CPSTIC)):

Amazon CloudWatch

Amazon EC2

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

 

DESC CSP (Cloud Service Provider Security Standard of the Dubai Electronic Security Center):

Amazon CloudWatch

Amazon DynamoDB

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

AWS Shield

Elastic Load Balancing

FINMA (Swiss Financial Market Supervisory Authority):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

GNS (GNS National Restricted Certification):

Amazon CloudWatch

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

 

GSM Association (Global System for Mobile communications):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

 

HIPAA BAA (Health Insurance Portability and Accountability Act):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

HITRUST CSF (Health Information Trust Alliance Common Security Framework):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

 

IRAP (Information Security Assessors Program):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

 

ISMAP (Information Systems Security Management and Assessment Program):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

Certificats ISO et CSA STAR (Organisation internationale de normalisation (ISO) et Cloud Security Alliance (CSA) Security Assurance and Risk (STAR)) :

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

Bouclier AWS

Équilibrage de charge élastique

AWS Identity and Access Management (IAM) (gestion des identités et des accès)

AWS Key Management Service (KMS)

 

OSPAR (Rapport d’audit du fournisseur de services externalisé) :

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

Bouclier AWS

Équilibrage de charge élastique

AWS Identity and Access Management (IAM) (gestion des identités et des accès)

AWS Key Management Service (KMS)

PCI (Payment Card Industry Data Security Standard):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

 

SOC (System and Organization Controls):

Amazon CloudWatch

Amazon DynamoDB

Amazon EC2

Amazon Elastic Block Store (EBS)

Amazon Elastic File System (EFS)

Amazon Elastic Kubernetes Service (EKS)

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Virtual Private Cloud (VPC)

AWS Shield

Elastic Load Balancing

AWS Identity and Access Management (IAM)

AWS Key Management Service (KMS)

 

Security in the cloud 

Vittoria.io covers the following areas:

  • Data plane security configuration, including the configuration of security groups that allow traffic to be transmitted from the control plane into the VPC.
  • Node configuration and the containers themselves
  • Node operating system (including security updates and patches)
  • Other related application software:
  • Configuration and management of network controls, such as firewall rules
  • Platform-level identity and access management, with or in addition to IAM
  • Data sensitivity, business requirements, applicable legislation and regulations

Here are the main points addressed by Vittoria.io :

1. Access control and network restrictions

Our cluster benefits from strict access control, being restricted only to our static public IP addresses. This considerably reduces the potential attack surface by limiting entry points to the cluster.

 

2. Update management

We maintain a rigorous update policy for all components of our infrastructure:

  • Cluster control plane
  • Worker nodes
  • All associated components

These regular updates ensure that we benefit from the latest security patches and performance improvements.

 

3. Data encryption

Data security at rest is a priority:

  • All our S3 buckets are encrypted
  • EFS volumes containing customer data are encrypted by default
  • EC2 instance main volumes are encrypted
 

4. Backup and disaster recovery

We use a robust backup strategy combining :
 
  • Velero for backing up Kubernetes resources
  • Kopia for persistent data backup
 
We keep one snapshot per day for each target volume, so that we can always restore with Velero.
 
Kopia backups are incremental and encrypted.
 
Also our Kopia configuration implements a retention policy to ensure data protection while efficiently managing storage space. Here’s a summary of our retention policy:
 
Annual snapshots: 3 are retained
Explanation: One snapshot per year is retained for 3 years.
Monthly snapshots: 24 are retained
Explanation: One snapshot per month is retained for 2 years (24 months).
Weekly snapshots: 4 are kept
Explanation: One snapshot per week is kept for 4 weeks.
Daily snapshots: 7 are kept
Explanation: One snapshot per day is kept for 7 days.
Hourly snapshots: 48 are kept
Explanation: One snapshot per hour is kept for 48 hours (2 days).
Last snapshots: 10 are always kept
Explanation: The 10 most recent snapshots are always retained, regardless of their frequency.
 

5. Protection against DDoS attacks

We use AWS Shield Standard for basic protection against Distributed Denial of Service (DDoS) attacks, strengthening the resilience of our infrastructure against external threats.
AWS Shield protects against the most common attacks targeting the infrastructure (layers 3 and 4), such as SYN/UDP flows and reflection attacks, to ensure the high availability of applications on AWS.
 

6. Monitoring and observability

Our cluster is continuously monitored by :
 
  • Prometheus for metrics collection
  • Grafana for data visualization and analysis
 
This configuration enables us to quickly detect any anomalies or suspicious behavior.
 

7. AWS access management

We apply the principle of least privilege with :
 
  • Nominative access to AWS
  • Appropriate restrictions on access
 
This approach minimizes the risks associated with compromised accounts, and makes it easier to audit actions taken.
 

8. Image security and pre-deployment testing

Our deployment process includes crucial steps to guarantee the security and stability of our images:
 
Security analysis: All our images are scanned with Trivy, a recognized vulnerability detection tool. This step enables us to identify and correct potential security flaws before deployment.
Test environment: Before going into production, our images are deployed and tested in a dedicated test cluster. 
 
This practice enables us to:
  • Verify image behavior in a production-like environment
  • Detect and resolve potential integration or configuration problems
  • Validate the performance and stability of new versions
 
This two-step approach considerably enhances the security and reliability of our deployments, reducing the risks associated with the introduction of new vulnerabilities or malfunctions in production.
 

Finally

Our approach to security for our EKS cluster on AWS is multidimensional, covering essential aspects such as access control, data encryption, update management, and continuous monitoring. Although our current configuration offers a consistent level of security, we remain vigilant and continue to identify opportunities for improvement.
For more information please contact us.