Document toolboxDocument toolbox

Kyvos Cloud Access Control

Owned by Sarabjeet Kaur
Feb 08, 2024
3 min read

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

The Kyvos team is responsible for operating, managing, deploying, and implementing Kyvos Cloud on AWS with features such as availability, scalability, fault tolerance, and security controls.

Kyvos Cloud infrastructure access is managed by IAM (Identity & Access Management) identities (users, groups of users, or roles). An IAM policy is an object in AWS that defines its permissions when associated with an identity or resource. AWS uses these policies when an IAM principal (user or role) makes an AWS resource access request. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, organization SCPs, ACLs, and session policies.

The end-users access the Kyvos Web portal over the web using Kyvos native application credentials and it can be integrated with external Active Directory services.

Kyvos controls access to information based on business and security requirements. The access rights to AWS resources are provided on the basis of:

  • Create individual IAM users

  • Use groups to assign permissions to IAM users

  • Grant least privilege

  • Use access levels to review IAM permissions

  • Configure a strong password policy for IAM users

  • Enable MFA in AWS account

  • Use roles to delegate permissions

  • Do not share access keys

  • Rotate credentials regularly

  • Remove unnecessary credentials

  • Use policy conditions for extra security

  • Monitor activity of our AWS account

IAM - User Management and Authentication

AWS Identity and Access Management (IAM) enables the user to manage access to AWS services and resources securely. Using IAM, the Kyvos team creates and manages Kyvos users and groups and user permissions to allow and deny access to AWS resources.

Information Security

Kyvos is committed to preserving the confidentiality, integrity, and availability services of Kyvos along with customer data.

Information and information security requirements will continue to be aligned with SOC2 compliance goals. The Information Security Management System intends to enable information sharing, electronic operations, and reducing information-related risks to acceptable levels.

Each customer has an isolated Virtual Private Cloud in AWS, and none of the resources are shared across customers. Kyvos team creates unique IAM ARN (Identity and access management Amazon Resource Names) for each customer. Customer enables IAM ARN at their end to give read access to customers S3 (Simple Storage Service) bucket or AWS Glue.

Customer raw data is hosted in S3 (Simple Storage Service) bucket or AWS Glue, and it is accessed by the Kyvos IAM ARN role. No Kyvos components can write on the customer's raw data. The customer's raw data is only accessed by semantic models from the Kyvos Web portal.

Load Balancer and Firewall

AWS ALB (Application Load Balancer) is used to access Kyvos Web portal. AWS ALB only listens on the SSL layer, and a valid SSL certificate is used.

AWS ALB forwards all incoming requests to AWS WAF (Web Application Firewall). AWS WAF has a built-in capacity for monitoring incoming requests. AWS WAF also provides protection against web attacks using specified rules. AWS WAF comes with the following features to enhance security.

  • Rules that can allow, block, or count web requests that meet the specified Alternatively, rules can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

  • Managed rule groups from AWS and AWS Marketplace sellers

  • Real-time metrics and sampled web requests

  • Automated administration using the AWS WAF API

VPC

Kyvos uses Amazon Virtual Private Cloud. AWS VPC is a cloud computing service that provides users a virtual private cloud by provision a logically isolated section of Amazon Web Services Cloud. It enables you to launch Amazon Web Services (AWS) resources into a virtual network you have defined.  Kyvos team creates a dedicated VPC for each customer.

Security Groups

A security group acts as a virtual firewall for Elastic Compute Cloud (EC2) instances, Relational Data Base services (RDS), Elastic MapReduce (EMR) services to control incoming and outgoing traffic. Inbound rules control the incoming traffic to AWS instances/services, and outbound rules control the outgoing traffic from AWS instances/services.

Malware and Antivirus

All the Kyvos components are in the private subnet and do not have internet access. All web components are behind the Application Load Balancer

Amazon Guard Duty is enabled for threat detection, which helps accurately and easily to continuously monitor and protect AWS accounts, workloads, and data stored in Amazon S3. Guard Duty analyzes billions of events across AWS accounts from AWS CloudTrail Management

Events (AWS user and API activity in accounts), AWS CloudTrail S3 Data Events (Amazon S3 activity), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).



Copyright Kyvos, Inc. All rights reserved.