Security of the Cloud
The security of the AWS cloud is our top priority. AWS provides a data center and network architecture designed to meet the security requirements of the most sensitive enterprises.
However, security is a shared responsibility between AWS and Vittoria.io. The shared responsibility model below describes this notion by the terms cloud security and security in the cloud:
Cloud security
AWS is responsible for protecting the infrastructure that runs AWS services in the AWS cloud. For Amazon EKS, AWS is responsible for the Kubernetes control plane, which includes the control plane nodes and the etcd database. Third-party auditors regularly test and verify security effectiveness as part of AWS compliance programs.
The following is a non-exhaustive list of compliance points for the services used by Vittoria.io within AWS:
C5 (Catalog of cloud computing compliance controls):
Amazon CloudWatch
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
AWS Shield
Elastic Load Balancing (ELB)
CCCS (Canadian Cyber Security Centre):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic Container Registry (ECR)
Amazon Elastic Container Service (ECS) (inclut ECS Anywhere)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS) (inclut EKS Anywhere)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing [fonction d’EC2]
CISPE (Data Protection Code of Conduct of the Association of Cloud Infrastructure Service Providers in Europe (CISPE)):
Amazon CloudWatch
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
CPSTIC (Catalogue of products and services of the Centre National de Cryptologie (CCN) STIC (CPSTIC)):
Amazon CloudWatch
Amazon EC2
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
DESC CSP (Cloud Service Provider Security Standard of the Dubai Electronic Security Center):
Amazon CloudWatch
Amazon DynamoDB
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
AWS Shield
Elastic Load Balancing
FINMA (Swiss Financial Market Supervisory Authority):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
GNS (GNS National Restricted Certification):
Amazon CloudWatch
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
GSM Association (Global System for Mobile communications):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
HIPAA BAA (Health Insurance Portability and Accountability Act):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
HITRUST CSF (Health Information Trust Alliance Common Security Framework):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
IRAP (Information Security Assessors Program):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
ISMAP (Information Systems Security Management and Assessment Program):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
Certificats ISO et CSA STAR (Organisation internationale de normalisation (ISO) et Cloud Security Alliance (CSA) Security Assurance and Risk (STAR)) :
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
Bouclier AWS
Équilibrage de charge élastique
AWS Identity and Access Management (IAM) (gestion des identités et des accès)
AWS Key Management Service (KMS)
OSPAR (Rapport d’audit du fournisseur de services externalisé) :
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
Bouclier AWS
Équilibrage de charge élastique
AWS Identity and Access Management (IAM) (gestion des identités et des accès)
AWS Key Management Service (KMS)
PCI (Payment Card Industry Data Security Standard):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
SOC (System and Organization Controls):
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Queue Service (SQS)
Amazon Simple Storage Service (S3)
Amazon Virtual Private Cloud (VPC)
AWS Shield
Elastic Load Balancing
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
Security in the cloud
Vittoria.io covers the following areas:
- Data plane security configuration, including the configuration of security groups that allow traffic to be transmitted from the control plane into the VPC.
- Node configuration and the containers themselves
- Node operating system (including security updates and patches)
- Other related application software:
- Configuration and management of network controls, such as firewall rules
- Platform-level identity and access management, with or in addition to IAM
- Data sensitivity, business requirements, applicable legislation and regulations
Here are the main points addressed by Vittoria.io :
1. Access control and network restrictions
Our cluster benefits from strict access control, being restricted only to our static public IP addresses. This considerably reduces the potential attack surface by limiting entry points to the cluster.
2. Update management
We maintain a rigorous update policy for all components of our infrastructure:
- Cluster control plane
- Worker nodes
- All associated components
These regular updates ensure that we benefit from the latest security patches and performance improvements.
3. Data encryption
Data security at rest is a priority:
- All our S3 buckets are encrypted
- EFS volumes containing customer data are encrypted by default
- EC2 instance main volumes are encrypted
4. Backup and disaster recovery
- Velero for backing up Kubernetes resources
- Kopia for persistent data backup
5. Protection against DDoS attacks
6. Monitoring and observability
- Prometheus for metrics collection
- Grafana for data visualization and analysis
7. AWS access management
- Nominative access to AWS
- Appropriate restrictions on access
8. Image security and pre-deployment testing
- Verify image behavior in a production-like environment
- Detect and resolve potential integration or configuration problems
- Validate the performance and stability of new versions