Features & Responsibilities Matrix

All security features that are available on e6data are listed below, along with the responsibility for configuring and managing each.

Network Access Controls

FeatureCloudResponsibility

Deploy into an EKS Cluster that you manage and secure. By default is no ingress allowed to the data plane.

AWS

Deployed by the user, using Terraform & Helm templates provided by e6data.

Authenticated access from users or clients to the e6data control plane UI and APIs

AWS

Credentials to access UI & Personal Access Tokens for APIs to be generated by users.

Private access (or private link) from the data plane to the e6data control plane

AWS

Deployed by the user, using Terraform & Helm templates provided by e6data.

IP access lists to control access to e6data control plane UI and APIs over the internet

AWS

Only Kubernetes management access between the e6data control plane and data plane. Any other access should be provided by users.

Ingress for 3rd party querying tools to access the engine.

AWS

User should enable Kubernetes Ingress for external connectors.

User and Group Management

FeatureCloudResponsibility

Use the cloud service provider identity management for seamless integration with cloud resources

AWS

e6data

Single Sign-On with identity provider integration (you can enable MFA via the identity provider)

AWS

Can be configured in the e6data console.

Service principals or service accounts to manage application identities for automation

AWS

e6data

User account locking to temporarily disable a user’s access to e6data

AWS

e6data

Role-based access controls to provide least required privileges for users/groups.

AWS

Configured by user.

Access Management

FeatureCloudResponsibility

Fine-grained permission-based access control to all e6data objects including workspaces, catalog, clusters and queries

AWS

Users should configure access to their team members.

Secure API access with personal access tokens with permission management

AWS

e6data provides unique tokens in the Console for secure access.

Segment users, workloads and data with different security profiles in multiple workspaces

AWS

Use separate workspaces where possible to segment users who need access to different data sources.

Data Security

FeatureCloudResponsibility

Encryption of control plane data at rest

AWS

e6data (enabled by default)

Encryption in transit of all communications between the e6data control plane and customer data plane

AWS

e6data (enabled by default)

Workload Security

FeatureCloudResponsibility

Manage code versions effectively with repos

AWS

e6data

Built-in secret management to avoid hardcoding credentials in code

AWS

e6data

Managed data plane docker image regularly updated with patches, security scans and basic hardening

AWS

e6data

Contain costs, enforce security and validation needs with cluster policies

AWS

e6data

Immutable short-lived infrastructure to avoid configuration drift

AWS

e6data

Enhanced hardening with security monitoring and vulnerability reports of managed data plane images

AWS

e6data

Auditing & Logging

FeatureCloudResponsibility

Comprehensive and configurable audit logging of activities of e6data users

AWS

Logged by e6data. Can be consumed by users through Console or API.

Logging of run queries

AWS

Logged by e6data. Can be consumed by users through Console or API.

e6data infrastructure logging

AWS

Logged by e6data. Can be consumed by users through Console or API.

Security Certifications

CertificationCloud

ISO 27001

AWS

ISO 27017

AWS

ISO 27018

AWS

ISO 27701

AWS

SOC 2 Type 1

AWS

Last updated

#930: Cross account hive GCP

Change request updated