As a Cloud First company, we at cmpute take security very seriously and it has always been at the heart of our decisions & workflows from day one.
CMPUTE runs within your secure AWS account. It uses IAM Roles and a set of permissions associated with it to access & manage AWS infrastructure. We DO NOT store your AWS Access and Secret keys.
We adhere to AWS recommended best practices for assuming a role within your AWS account.
To start using cmpute you are required to create a role that cmpute can assume within your AWS account. We have published an exhaustive list of permissions that cmpute requires to manage your AWS environment in the most cost effective manner. We DO NOT require * (All) permissions and only take fine grained permissions for different AWS services.
The following are the permissions that are required across services:
AWS:EC2 ec2:CreateSecurityGroup ec2:CreateSpotDatafeedSubscription ec2:CancelSpotInstanceRequests ec2:CreateTags ec2:DeleteTags ec2:CreateVolume ec2:attach* ec2:Describe* ec2:RequestSpotInstances ec2:RunInstances ec2:GetConsoleOutput ec2:AuthorizeSecurityGroup* **On Resources Created by Cmpute** ec2:StartInstances ec2:StopInstances ec2:TerminateInstances ec2:DeleteVolume ec2:DeleteSecurityGroup
s3:AbortMultipartUpload s3:Get* s3:List* s3:Put* s3:RestoreObject s3:CreateBucket
sqs:CreateQueue sqs:GetQueueAttributes sqs:GetQueueUrl sqs:ListQueues sqs:SetQueueAttributes
cloudwatch:DescribeAlarmHistory cloudwatch:DescribeAlarms cloudwatch:DescribeAlarmsForMetric cloudwatch:DisableAlarmActions cloudwatch:EnableAlarmActions cloudwatch:GetMetricData cloudwatch:GetMetricStatistics cloudwatch:ListMetrics cloudwatch:PutMetricAlarm cloudwatch:PutMetricData cloudwatch:SetAlarmState AWS:Autoscaling autoscaling:Describe* autoscaling:AttachLoadBalancers autoscaling:CreateOrUpdateTags autoscaling:DetachLoadBalancers autoscaling:AttachInstances autoscaling:DetachInstances autoscaling:SetDesiredCapacity autoscaling:TerminateInstanceInAutoScalingGroup autoscaling:UpdateAutoScalingGroup
elasticmapreduce:AddTags elasticmapreduce:AddJobFlowSteps elasticmapreduce:DescribeJobFlows elasticmapreduce:DescribeCluster elasticmapreduce:DescribeStep elasticmapreduce:ListBootstrapActions elasticmapreduce:ListClusters elasticmapreduce:ListInstanceGroups elasticmapreduce:ListInstances elasticmapreduce:ListSteps elasticmapreduce:ModifyInstanceGroups elasticmapreduce:RunJobFlow
On Resources Created by Cmpute
elasticmapreduce:RemoveTags elasticmapreduce:SetTerminationProtection elasticmapreduce:SetVisibleToAllUsers elasticmapreduce:TerminateJobFlows
elasticbeanstalk:Describe* elasticbeanstalk:RequestEnvironmentInfo elasticbeanstalk:RetrieveEnvironmentInfo elasticbeanstalk:ValidateConfigurationSettings elasticbeanstalk:RestartAppServer
ecs:Describe* ecs:List* ecs:DeregisterContainerInstance ecs:RegisterTaskDefinition elasticloadbalancing:ConfigureHealthCheck elasticloadbalancing:DeregisterInstancesFromLoadBalancer elasticloadbalancing:Describe* elasticloadbalancing:RegisterInstancesWithLoadBalancer iam:ListRoles iam:ListInstanceProfiles iam:ListInstanceProfilesForRole iam:PassRole sts:AssumeRole logs:CreateLogGroup logs:PutRetentionPolicy
We have a strict Time-bound key rotation policy for managing resource passwords and keys that are used internally. In practice these are rotated at regular intervals to contain damages due to any extremely rare incident of a data breach.
As a customer you are provided with your own cmpute account. We provide the following ways for you to interface with cmpute :
CMPUTE API backend only processes authenticated and signed requests from the user. cmpute uses HMAC-SHA1 authentication. All responses are signed to ensure that the origin of the response is indeed cmpute and no one else.
CMPUTE SDKs use APIs internally and take care of signing and authentication for you.
We have a High Availability (HA) setup for our backend infrastructure and hence is tolerant to failures across Availability Zones and Regions.
The cmpute infrastructure works within its own Virtual Private cloud (VPC) and therefore is isolated from the public internet. Access to any resources within the VPC from the public internet is carefully modulated using appropriate Security Groups and Access Control Lists (ACLs).
We have separate Environments (Dev QA and Production) each serving a specific purpose in the product’s Development Life Cycle. Exhaustive testing and Quality assurances are undertaken in the QA environment before any feature is moved live.