Skip to main content
Interania

What you should know about Interana security in AWS

0votes
43updates
137views

This document describes Interana Managed Edition deployments in AWS. It provides details on when and how the cluster communicates with the outside world, how access to the cluster is managed and controlled, and the application configurations that may potentially impact security. 

Click a link to jump to a topic:

Network architecture overview

Interana is deployed in a Virtual Private Cloud (VPC) that is created within your company's AWS account. Interana establishes two subnets within the VPC:

  • Public subnet—contains API nodes (web application servers), and a single admin node
  • Private subnet—contains data, string, config, and import nodes (data persists here)

In the Interana cluster, the admin node is the primary host used for cluster management. The API nodes serve requests made by users of the Interana web (UI) application. Cluster import nodes access data in a designated S3 bucket where access is controlled with a bucket policy. Communication between Interana nodes happens over SSL.

image (1).png

Usage Tracking logs can be configured to stay within the VPC rather than being uploaded to Interana.

Communication with the Interana cluster (within the VPC) consists of the following:

  • Incoming web requests from application users
  • Files downloaded from the customer owned data source S3 bucket
  • Communication with the customer network for cluster access
  • Outbound communication to Datadog for cluster monitoring
  • (Optional) log upload to an Interana-owned S3 bucket

image (2).png

AWS configuration

This section provides an overview of the AWS configuration for an Interana cluster. Click a link to jump to a topic:

Subnets

Interana creates two subnets with the VPC, one public and one private. The public subnet contains the admin and API nodes and uses CIDR 10.0.0.0/24. External inbound traffic is routed to the public subnet. The private subnet contains the config, import, data, and string nodes, and uses CIDR 10.0.1.0/24. A Network Access Control List (ACL) controls the communication between the two subnets.

Security groups

Interana creates a default security group to control ingress to and egress from the cluster, and applies to the API nodes on the public subnet. Additionally, Interana creates a private security group that controls access to nodes on the private subnet, as well as an admin security group that controls access to the admin node.

AWS Identity Access Management

The Interana must have AWS credentials in order to provision, deploy, and manage an Interana cluster. This requires that you create an Interana user account with the necessary permissions restricted to your target AWS account (see Policies below). Interana stores these credentials securely and accesses them to deploy the cluster and perform cluster upgrades and maintenance. 

Users and Groups

Interana requires a single privileged user account for administration purposes. As such, there are no hard requirements on group membership for the chosen user. The configuration is left to your discretion.

Roles

Interana creates a role that is applied to EC2 instances created in your AWS account. This role allows all actions for the EC2 instances, and is attached to the EC2 instances with an instance profile. 

Policies

Interana defines the policy for the EC2 instances created in the account (described in the above section). This policy enables each instance to take snapshots for backup purposes.

Additionally, the customer must define a policy for the user that Interana then uses to administer the account. The policy should allow the following actions:

Cluster Standup role Cluster Maintenance role Cluster Teardown role
cloudformation:CreateStack ec2:AttachVolume cloudformation:DeleteStack
cloudformation:DescribeAccountLimits ec2:CreateKeyPair ec2:DeleteDhcpOptions
ec2:AssociateAddress ec2:CreateSnapshot ec2:DeleteInternetGateway
ec2:AssociateDhcpOptions ec2:DeleteSnapshot ec2:DeleteNetworkAcl
ec2:AssociateRouteTable ec2:DescribeSnapshots ec2:DeleteNetworkAclEntry
ec2:AttachInternetGateway ec2:CreateTags ec2:DeleteRoute
ec2:AttachVolume ec2:CreateVolume ec2:DeleteRouteTable
ec2:AuthorizeSecurityGroupEgress ec2:DeleteVolume ec2:DeleteSecurityGroup
ec2:AuthorizeSecurityGroupIngress ec2:DetachVolume ec2:DeleteSubnet
ec2:CreateDhcpOptions ec2:ModifyInstanceAttribute ec2:DeleteVolume
ec2:CreateInternetGateway ec2:RebootInstances ec2:DeleteVpc
ec2:CreateKeyPair ec2:ReplaceNetworkAclAssociation ec2:DeleteVpcEndpoints
ec2:CreateNetworkAcl ec2:RunInstances ec2:DetachInternetGateway
ec2:CreateNetworkAclEntry ec2:StartInstances ec2:DetachVolume
ec2:CreateRoute ec2:StopInstances ec2:DisassociateRouteTable
ec2:CreateRouteTable ec2:TerminateInstances ec2:RevokeSecurityGroupEgress
ec2:CreateSecurityGroup   ec2:RevokeSecurityGroupIngress
ec2:CreateSnapshot   ec2:TerminateInstances
ec2:CreateSubnet   iam:DeleteInstanceProfile
ec2:CreateTags   iam:DeleteRole
ec2:CreateVolume   iam:DeleteRolePolicy
ec2:CreateVpc   iam:RemoveRoleFromInstanceProfile
ec2:CreateVpcEndpoint    
ec2:ModifyVpcAttribute    
ec2:RunInstances    
ec2:StartInstances    
ec2:StopInstances    
iam:AddRoleToInstanceProfile    
iam:CreateInstanceProfile    
iam:CreateRole    
iam:PutRolePolicy    

Key storage

Interana stores AWS credentials in an encrypted database, and utilizes a key vault solution to encrypt and restrict access to the keys exclusively to Interana. All AWS API requests are made over SSL. Interana supports rotating AWS credentials at the customer's request.

Access control

Security groups on the cluster restrict access to approved Interana IP addresses. Additionally, each Interana Customer Support Engineer that accesses your system must have a unique login with key access. Interana uses a third-party cloud LDAP service that syncs with Interana internal LDAP servers for account management. Each Customer Support Engineer must have an unique SSH key, and every login attempt is validated. This ensures that only an authorized account and SSH key can access your account. Access is granted based on group membership that is approved by you.

Interana collects logs that record SSH access to the cluster for auditing purposes. Access logs are uploaded to a host in the Interana AWS environment for analysis. Customers can request a report of access to their cluster.

Installation

Interana provisions the cluster, installs Interana software and dependencies on each node in the cluster, then configures monitoring and scheduled backups. Interana deploys the VPC and sets up the subnets, security groups, and other AWS requirements, then invokes the AWS API to create the cluster nodes. After the nodes are created, Interana performs system updates and configures access control.

System maintenance

Interana automates the monitoring and upgrading of cluster nodes. Click a link to jump to a topic:

Monitoring a cluster

Interana monitors the health of Interana cluster nodes and application processes. Each node in the cluster is configured to send metrics to a web API on a secure server. An API key is used to authenticate with the server that is authorized for reporting telemetry only (no read access, no account configuration access, no access to data stored on cluster). 

The following metrics are collected:

  • Node availability
  • Node reboot
  • CPU
  • Thread count per process
  • Memory - RSS, VM, Malloc, MMAP
  • File descriptors
  • TCP ports
  • Disk space (root, data, log, backup volumes)
  • Disk I/O and throughput
  • Application disk space (import, config/database, cache)
  • Crons
  • Bytes sent and received

Within the cluster, the following ports are used for collecting and transmitting cluster metrics:

Port Type  Description
8125 udp Agent for collecting metrics
17123 tcp Agent forwarder for buffering traffic
123 udp NTP

Automating cluster maintenance 

Interana manages the state of the cluster with an orchestration and configuration management tool. Processes run on each node and communicate to the server in the Interana AWS environment on ports 4505 and 4506.

Upgrading a cluster

Software upgrades are similar to the initial Interana software installation. Interana manages upgrades, connecting to the admin node and using it as a proxy to run upgrades on the other nodes in the cluster. 

Application configuration

This section covers the ways in which you can configure the Interana cluster environment. Click a link to jump to a topic:

Ingesting data

The Interana import nodes manage a pipeline for ingesting data into the cluster. Import nodes are configured to pull files from a designated S3 bucket. After the files are downloaded, they are processed and deleted.

Access to the source data bucket is configured through a bucket policy that is set by you. Read-only access must be granted for the Interana IAM user. The bucket policy should allow the following actions on the data source bucket and resources within the bucket:

  • s3:GetBucketLocation
  • s3:ListBucket
  • s3:GetObject
  • s3:RestoreObject

User authentication

This section provides and overview of the methods Interana supports for authenticating users through the Interana web user interface (UI). For more information, see the article on Using other forms of authentication.

Username and password

The default authentication method is with a unique username and password as login credentials. Usernames are typically email addresses. An Interana admin can configure authorized email domains with which to register accounts. An email is sent to verify ownership of the domain before a user account is created. An admin can also create accounts for arbitrary domains, as needed. User account passwords are encrypted and stored on the config node of the Interana cluster.

Third-party authentication

Interana supports authentication with third-parties that implement the SAML 2.0 or OAuth 2.0 protocols. In this scheme, Interana routes authentication requests to the configured third-party service provider. The Interana supported third-party authentication and single sign-on providers include the following:

  • Okta
  • Azure Active Directory
  • ADFS
  • OneLogin
  • Google
  • AppleConnect (using SAML 2.0)
API access

An Interana admin can generate API tokens for authenticating requests to the Interana external API. API tokens are always associated with an existing Interana user account. An admin can invalidate issued tokens at any time. The customer is responsible for managing token rotation and revocation policies.

Email notifications

The Interana application sends emails for account creation and management (if user/password authentication is enabled), as well as for scheduled dashboard reports. The service used to send emails is configurable, with the basic requirement of an SMTP interface (host, port, username, and password). Interana supports the following email services:

  • Sendgrid—Interana default email service. Emails are sent from the interana.com domain.

  • Amazon Simple Email Service (SES)—Amazon SES can be configured to send Interana emails from the interana.com domain. If Amazon SES is configured, the DomainKeys Identified Mail (DKIM) signing of emails is enabled.

  • Customer mail server—A customer-owned mail server may be used to send Interana emails. For this, the customer needs to provide SMTP configuration information. Emails are then sent from the customer domain.

Logging

Interana processes log system usage and performance information on each node locally. These logs may contain information about Interana users, such as email addresses and information about queries run on the system, including query parameters. Query parameters may include information about data stored in the system, for example a filter that narrows to a specific actor ID. Interana does not log the results of queries that are run in the system.

By default, Interana collects these logs and uploads them to an S3 bucket in the Interana AWS environment for internal use. This behavior can be disabled. Alternatively, logs can be ingested directly into the cluster for analysis.

What's Next

For more information, see the following topics:

  • Was this article helpful?