Acante Agentless Deployment Architecture

Hybrid SaaS Architecture: Secure by Design

Acante's is deployed as a "Hybrid SaaS" architecture to provide both ease of deployment and ensure security of customer data. All sensitive customer data remains in the customer environment, only meta-data is sent back to Acante Cloud to power the Web UI.

The following Cross-account Roles are created to capture security audit meta-data:

• Acante Datastore Discovery roles: gather inventory of datastores, IAM identities and policies
• Classifier role: manages custom data identifiers, pulls configuration and job management for AWS Macie
• Cloudwatch role: pulls cloudwatch logs for Acante resources (lamdba services)

All Acante Components are deployed in a standalone VPC automatically created within the customer environment. This ensures security isolation of Acante lambdas and ensure no impact on customer infrastructure.

• VPC: where Acante components are deployed
• S3 buckets:
  • Sampled Data bucket: samples of data are copied here for classification. All data samples are deleted on completion of the classification job
  • Metadata bucket: classification results from Macie are stored here. This meta-data is transferred to Acante via the “S3 sync” service provided by AWS to transfer securely and with access privileges
• Lambdas:
  • Sampler: controls data sampling from datastores (S3, RDS, …) . Temporarily holds data in the Sampled Data bucket
  • Log processor: it connects to the S3 bucket where the Trail events are stored. It pre-processes & reduces audit and query logs from Cloudwatch/trail to extract relevant access info, redact any sensitive data and forward to Acante
  • Log Manager: it configures the data event selectors of the Data Events Trail. The selectors are created to filter and only deliver data events for the datastores which have been tagged for access monitoring.
• SQS Queue: 1-way configuration control messages from Acante cloud to Sampler lambda
• Private Link: secure communication for logs transport between customer VPC and Acante cloud on AWS

Accessing the Acante Artifacts

The entire deployment is driven by a single Root Module via Terraform. It automatically invokes all other child modules as described here. The Root module, the input variables files, README etc. can be downloaded via the Configurations tab in the Acante UI as a tar.gz. Unpack the tar file and review the README for the simple steps to run the Terraform.

Components Deployed

The deployment process involves running a single Terraform Root Module. It automatically invokes the child modules. By default, all resources created by Acante are tagged with the key “acante:ResourceTag/Name”, the value reflects the name of the resource being created. Additional tags can be added to these resources using the resource-tags map provided as an input variable in the dev.tfvars file. The README file has simple steps to run the Terraform. A summary of the components deployed by each of the child modules are provided below

“Aws-vpc”

This module creates the Acante managed VPC where all Acante components are deployed.

“Discovery-service”

This module creates the cross-account roles described above. The module outputs the cross-account Discovery role ARN, which needs to be provided to Acante in the Configuration page.

“Macie”

This module

• Enables AWS Macie and puts it in paused state
• Creates the KMS key that will be used to encrypt the S3 Metadata bucket
• Provisions the Metadata S3 bucket (as noted in this section)

“Vpcendpoint-gateway”

This Terraform module, configures the networking for the Acante lambdas services in the Acante VPC to communicate with the AWS services (e.g. S3, Dynamodb, etc.)

“Lambda-functions”

This Terraform module, provisions the

• SQS queue used by the Acante cloud service to push configuration messages to the Sampler Lambda
• Sampler Lambda function
• S3 Sampled Data bucket (as noted in this section)

The module outputs the SNS topic to be configured in the existing Cloudtrail Management Trail

“Vpcendpoint-interface”

This Terraform module provisions the interface VPC endpoints used by Acante lambda services to communicate with AWS services in the customer account such as Macie and to the API gateway in the Acante account. A Private Link is used for secure communication between the customer VPC and the Acante VPC.