Snowplow's AWS Infrastructure Security Bundle: safeguarding your Behavioral Data Pipeline
The AWS Security Bundle offered by Snowplow is an add-on to Snowplow BDP Enterprise that provides an additional layer of security for your Snowplow implementation on AWS. Below is an outline of what is included in this bundle.
If you're interested in what BDP Enterprise has to offer, learn more about Snowplow features and bolt-ons.
Snowplow's AWS Infrastructure Security Bundle Features
1. VPC Peering
As part of the Snowplow pipeline setup, a Virtual Private Cloud (VPC) is created to host the pipeline in the customer's cloud account. Customers who want to enable VPC peering between their existing VPC and the Snowplow VPC can choose the CIDR/IP range used in the Snowplow-setup VPC to facilitate peering.
2. Custom Tagging
Up to five custom tags can be defined and applied to each AWS resource deployed by Snowplow. Specific tags can be set for VPC assets and S3 bucket assets, without being propagated to all other resources.
3. Custom Security Agents
Customers have the option to install their own custom security agents on EC2 servers deployed as part of the service. The customer can provide the necessary agents via an S3 object, which will be executed as an addendum to Snowplow's user-data scripts. This feature enables customers to meet specific security compliance requirements.
4. Custom IAM Policy
When installing agents on EC2 nodes, additional IAM permissions may be needed (e.g., SSM agent) for proper functionality. Customers can extend the IAM policies attached to EC2 servers with their own custom-defined policy if necessary.
5. SSH Access Control
To align with customers' internal security policies, Snowplow's SSH access to the environment can be disabled.
6. HTTP Access Control
Customers have the ability to disable all non-encrypted HTTP traffic to internet-facing Load Balancers deployed as part of Snowplow BDP.
7. IAM Permissions Boundary
To control the IAM permissions granted to Snowplow services, customers can configure an IAM Permissions Boundary policy. This policy acts as a sandbox, allowing customers to define the specific permissions within Snowplow services, in addition to or instead of account-wide Service Control Policies (SCPs).
Summary
Snowplow already offers a highly private and compliant solution, allowing you to deploy all infrastructure in your own cloud environment, choose your storage location, and manage tracking details meticulously. With the AWS Infrastructure Security Bundle, BDP customers can add an extra layer of security for their behavioral data pipeline.