Contents x
      Acante Agentless Deployment Architecture
      • 31 Mar 2025
      • 1 Minute to read
      • Dark
        Light
      Contents

      Acante Agentless Deployment Architecture

      • Updated on 31 Mar 2025
      • 1 Minute to read
      • Dark
        Light
      Article summary

      Hybrid SaaS Architecture: Secure by Design

      Acante's is deployed as a "Hybrid SaaS" architecture to provide both ease of deployment and ensure security of customer data. All sensitive customer data remains in the customer environment, only meta-data is sent back to Acante Cloud to power the Web UI.

      Screenshot 2025-03-30 at 8.58.00 PM.png

      The following Cross-account Roles are created to capture security audit meta-data:

      • Acante Datastore Discovery roles: gather inventory of datastores, IAM identities and policies
      • Classifier role: manages custom data identifiers, pulls configuration and job management for classification
      • Cloudwatch role: pulls cloudwatch logs for Acante resources (lamdba services)

      All Acante Components are deployed in a standalone VPC automatically created within the customer environment. This ensures security isolation of Acante lambdas and ensure no impact on customer infrastructure.

      • VPC: where Acante components are deployed
      • S3 buckets:
        • Sampled Data bucket: samples of data are copied here for classification. All data samples are deleted on completion of the classification job
        • Metadata bucket: classification results are stored here. This meta-data is transferred to Acante via the “S3 sync” service provided by AWS to transfer securely and with access privileges
      • Lambdas:
        • Sampler: controls data sampling from datastores (S3, RDS, …) . Temporarily holds data in the Sampled Data bucket
        • Log processor: it connects to the S3 bucket where the Trail events are stored. It pre-processes & reduces audit and query logs from Cloudwatch/trail to extract relevant access info, redact any sensitive data and forward to Acante
        • Log Manager: it configures the data event selectors of the Data Events Trail. The selectors are created to filter and only deliver data events for the datastores which have been tagged for access monitoring.
      • SQS Queue: 1-way configuration control messages from Acante cloud to Sampler lambda
      • Private Link: secure communication for logs transport between customer VPC and Acante cloud on AWS

      Accessing the Acante Artifacts

      The entire deployment is driven by a single Root Module via Terraform. It automatically invokes all other child modules as described here. The Root module, the input variables files, README etc. can be downloaded via the Configurations tab in the Acante UI as a tar.gz. Unpack the tar file and review the README for the simple steps to run the Terraform.

      What's Next