Cloud Connector Security
Why do I need to deploy this CloudFormation template?
Elastio’s architecture is specifically designed to ensure your data is always under your control and never leaves your AWS account, while still providing the ease of deployment and convenience you’d expect from a fully hosted SaaS product. Elastio deploys a Cloud Connector within your AWS account to manage data protection. This requires maintaining a careful balance of security concerns, both within your AWS accounts and in Elastio-managed infrastructure.
As a part of that balance, each Elastio customer needs to create several IAM roles for use by the Cloud Connector. For convenience and transparency, we package these roles into a CloudFormation template which you must deploy yourself. This way your deployment experience is as simple as possible, without giving Elastio any sensitive credentials with which to access your account.
All of the permissions granted to all of the roles are clearly specified in the CloudFormation template, so you know up front what permissions you are trusting Elastio with. We encourage you to review this template before deploying, and contact us if you have any questions or concerns.
Why do I need to grant CAPABILITY_NAMED_IAM when deploying Elastio’s CloudFormation template?
Amazon CloudFormation by default will not allow CloudFormation templates to create named IAM users or roles, because the ability to do so is very sensitive and if misused could cause AWS customers to grant access rights to other entities accidentally. Therefore Amazon have decided that in order to deploy a CloudFormation template which creates named IAM resources, the user performing the deployment must explicitly acknowledge that IAM resources are being created by granting the CAPABILITY_NAMED_IAM capability. This is why when deploying our CloudFormation template via the CloudFormation GUI, you must check a check box explicitly acknowledging that IAM resources will be created as part of this template deployment.
All CloudFormation templates from all sources will require this capability if they create IAM roles, users, or policies. Elastio is no exception. See the AWS documentation of the CreateStack API for a longer description of CAPABILITY_NAMED_ITEM and when it’s required. See the next section for more details on what these IAM resources are for and why they are needed.
What kind of access to my AWS account does Elastio require?
The CloudFormation template which you deploy into your AWS account as part of the Elastio installation creates many IAM roles, one for each AWS Lambda function and ECS service in the Elastio Cloud Connector, so that each component runs with only the minimum set of permissions it needs (ie, the principle of “Least Privilege”). For example, backing up EBS requires the permission to take a snapshot of all EBS volumes, but listing backups shouldn’t have any access to EBS at all. With only two exceptions, these IAM roles are only used within your account to run Elastio code, and are not available for use by Elastio personnel or code running on Elastio servers.
The two exceptions are as follows:
The first is a role called ElastioTenant, which is a role that Elastio’s SaaS component is able to assume so that it can perform certain selected tasks in your account on your behalf, including communicating with the Elastio Cloud Connector, and getting information about what assets are in your account which are available for protection. The ability to assume this role is limited to a specific Elastio AWS account, and requires a secret key specific to your account which is stored encrypted by Elastio with very restricted access to minimize the risk of a compromise.
Second, the role ElastioInstaller has enough permission to create and destroy the resources which Elastio manages in your account, with the exception of resources which contain your backup data (those can be created but not destroyed). The Elastio Tenant only assumes this role when deploying, updating, or removing the Elastio Cloud Connector in a particular account; for all other operations the ElastioTenant role is used.
How can I audit Elastio’s activity in my account
Prior to deploying Elastio, customers can review the permissions granted to the ElastioTenant and ElastioInstaller roles in the CloudFormation template. AWS IAM ensures that only the permissions explicitly granted to those roles are available to Elastio, so customers can be confident that Elastio’s ability to operate on their accounts is limited to specific well-defined operations. Post-deployment, we encourage customers to enable CloudTrail auditing if they haven’t already. This will provide a detailed audit log not only of what Elastio Tenant is doing in their AWS accounts, but also what the Elastio Cloud Connector components are doing internal to each AWS account.
For additional information on the IAM roles and permissions Elastio uses for operation, visit this page.
The list of Elastio resources created in your AWS account can be found here.