cmpute.io platform manages cloud resources for the customer. To enable operations, the platform requires permissions to perform specific operations on behalf of the customer. This is achieved by creating an AWS IAM Role in the customer account that attaches the following policies.
When a new cloud account is attached with cmpute.io platform, a new role is created within the customer account. All permission regarding this role are available as part of the open to public repository. When adding a new account, cmpute.io offers the customer a cloud formation template which will perform the necessary actions. The entire template is available in the below URL.
Once the role is created, the role permissions and trust can be viewed by navigating to the AWS IAM Console and selecting the newly created role.
The platform creates a trust relationship between the customer AWS account and the cmpute.io platform AWS account. The platform AWS account information is added as a trusted party during the call along with an identifier string. This enables that only applications which are operating within the cmpute.io AWS accounts have access to the customer role and not anybody from outside.
The platform performs critical operations like launching infrastructure, managing the infrastructure during its lifetime and removing infrastructure which may have served its purpose. To enable auditing, all infrastructure that are managed by cmpute.io platform are tagged. To ensure that other infrastructure are not disturbed by the cmpute.io platform, only resources that are managed by cmpute.io can be stopped/terminated. This is done using the tags that are added to instances.
All calls that are made by cmpute.io on behalf of the customers can be audited and logged by enabling AWS CloudTrail on the newly created role. This allows continuous monitoring of all the actions performed by cmpute.io platform and also helps in auditing to identify access to resources.
The role information that is provided by the customer is encrypted using AWS KMS key store.The decryption of the roles are only done when necessary and is used to receive temporary grant to perform AWS operations. The role information is securely encrypted in disk at all times.
The platform assumes the customer role when accessing the customer cloud account. The assume role operation receives a temporary access key and secret key which are valid for at-most one hour. The information is encrypted and kept in-memory of the application. The keys are automatically rotated when they expire. The information is never persisted to disk and is kept encrypted in-memory at all times. The information is decrypted to access AWS resources of the customer and are discarded when the validity of the keys are expired.