| Feature | Cloud | Responsibility |
|---|---|---|
| Deploy into an EKS Cluster that you manage and secure. By default is no ingress allowed to the data plane. | AWS | Deployed by the user, using Terraform & Helm templates provided by e6data. |
| Authenticated access from users or clients to the e6data control plane UI and APIs | AWS | Credentials to access UI & Personal Access Tokens for APIs to be generated by users. |
| Private access (or private link) from the data plane to the e6data control plane | AWS | Deployed by the user, using Terraform & Helm templates provided by e6data. |
| IP access lists to control access to e6data control plane UI and APIs over the internet | AWS | Only Kubernetes management access between the e6data control plane and data plane. Any other access should be provided by users. |
| Ingress for 3rd party querying tools to access the engine. | AWS | User should enable Kubernetes Ingress for external connectors. |
| Feature | Cloud | Responsibility |
|---|---|---|
| Use the cloud service provider identity management for seamless integration with cloud resources | AWS | e6data |
| Single Sign-On with identity provider integration (you can enable MFA via the identity provider) | AWS | Can be configured in the e6data console. |
| Service principals or service accounts to manage application identities for automation | AWS | e6data |
| User account locking to temporarily disable a user’s access to e6data | AWS | e6data |
| Role-based access controls to provide least required privileges for users/groups. | AWS | Configured by user. |
| Feature | Cloud | Responsibility |
|---|---|---|
| Fine-grained permission-based access control to all e6data objects including workspaces, catalog, clusters and queries | AWS | Users should configure access to their team members. |
| Secure API access with personal access tokens with permission management | AWS | e6data provides unique tokens in the Console for secure access. |
| Segment users, workloads and data with different security profiles in multiple workspaces | AWS | Use separate workspaces where possible to segment users who need access to different data sources. |
| Feature | Cloud | Responsibility |
|---|---|---|
| Encryption of control plane data at rest | AWS | e6data (enabled by default) |
| Encryption in transit of all communications between the e6data control plane and customer data plane | AWS | e6data (enabled by default) |
| Feature | Cloud | Responsibility |
|---|---|---|
| Manage code versions effectively with repos | AWS | e6data |
| Built-in secret management to avoid hardcoding credentials in code | AWS | e6data |
| Managed data plane docker image regularly updated with patches, security scans and basic hardening | AWS | e6data |
| Contain costs, enforce security and validation needs with cluster policies | AWS | e6data |
| Immutable short-lived infrastructure to avoid configuration drift | AWS | e6data |
| Enhanced hardening with security monitoring and vulnerability reports of managed data plane images | AWS | e6data |
| Feature | Cloud | Responsibility |
|---|---|---|
| Comprehensive and configurable audit logging of activities of e6data users | AWS | Logged by e6data. Can be consumed by users through Console or API. |
| Logging of run queries | AWS | Logged by e6data. Can be consumed by users through Console or API. |
| e6data infrastructure logging | AWS | Logged by e6data. Can be consumed by users through Console or API. |