Connect Accounts FAQ
Common questions related to connecting cloud accounts
What are the benefits of cross account access?
Compare the security profile and total cost of ownership (TCO) of these two options:
- a system configured and updated with machine-to-machine automation
- a system that requires direct access by many people to set up and update
The former requires 0 people in the process, takes 30 minutes for the initial set up, and is automatically updated with security improvements over the entire lifetime of the system.
The latter can take many people weeks in the initial process to set up and weeks again to find the right people to perform security updates. It adds new risks of many people having access and passwords to systems, making configuration mistakes, and delaying security updates.
Multiply this by every additional system you create to backup additional sandbox and production environments and every security update required over the years of maintaining a system; you'll see that the security profile is significantly higher and the TCO is significantly lower by automating everything.
GRAX maintains isolated accounts with cross account automation for all "GRAX Cloud" environments, and is proud to offer the same exact security best practices and service to Self-Managed customers.
What are the security implications of cross account access?
At GRAX, information security is job number one. We have designed security into every layer of our product and system management. Cross account access, combined with fully automated system setup and updates, provides the best security for all our customers and their sensitive data. GRAX uses the following best security practices:
Isolation starting at the AWS Account Layer
Account isolation eliminates the risk of GRAX systems accessing other systems and data and vice-versa. GRAX requires that you run in an isolated account. Our certified templates provide further isolation at the VPC, instance, database, and storage layers.
Automation to setup and manage systems
Automation eliminates configuration mistakes on first setup and enables fast delivery of updates for critical security improvements.
Automation removes people from the process; people are prone to make configuration mistakes and can be slow to apply security updates. Configuration mistakes and running outdated components are in the top 10 application security risks.
GRAX provides AWS certified CloudFormation templates, fully open for additional peer review, that set up a secure environment in 20 minutes. GRAX continually maintains these templates for the latest security improvements.
Password-less IAM roles
Password-less roles eliminate the risk of leaking credentials and guarantee only authorized machines have access to systems and leave an audit trail.
This eliminates static credentials that can leak and need to be rotated. It improves the ability to audit, where any access to your account other than the GRAX role, and any access to your bucket other than the GRAX Instance role, can trigger security review.
How can I audit cross-account access?
All cross account API calls are logged by AWS to CloudTrail. These logs always include the Role ARN and required Role Session Name, both of which include "GRAX". With the cross-account role, anything other than the GRAX role in CloudTrail logs is suspicious.
You can set up CloudWatch alarms for CloudTrail events to filter events and send notifications when anything other than the expected roles access your systems.
Can I remove cross-account access?
Self-managed GRAX always leaves you in total control. At any time you can remove the cross-account role with the IAM Delete Role operation, then put it back as-needed. Note that removing the role disables GRAX ability to automatically push infrastructure security updates.
Updated about 1 month ago