What’s Amazon Web Services?
Amazon Web Services (AWS) is the world’s most broadly adopted cloud platform. Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, organizations can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like AWS.
Does AWS approve providing third-party applications like ByteChek accessing my AWS account?
Yes. AWS recommends using a cross-account role by vendors who are implementing a SaaS product that needs access to customer accounts. Using external IDs is a recommended way to implement this configuration - which is why the ByteChek platform utilizes external IDs when connecting to your AWS account. Choosing this option restricts access to the provisioned role only through the AWS Command Line Interface (CLI), Tools for Windows PowerShell, or the AWS API.
When using ByteChek, your organization provisions ByteChek’s application programmatic access to your AWS account. Using IAM policies, the cross-account roles' policies tightly control the permissions of the ByteChek application (trusted account) and limit access within your AWS account (trusting account).
Why does ByteChek need to connect to my AWS account?
Because we are AWS experts and don’t think it makes sense to request manual evidence from cloud environments. ByteChek connects directly to your AWS infrastructure to ensure your organization’s cloud environment is in alignment with security best practices, regulations, and frameworks such as SOC 2, ISO 27001, and HIPAA. This integration allows the ByteChek application to continuously collect the evidence needed for cybersecurity assessments, allowing your team to focus on building your applications and not audits. Our AWS integration allows us to go above and beyond a traditional SOC 2 examination, producing a security-focused SOC 2 that differentiates you from your competitors.
How does ByteChek connect to your AWS account?
Utilizing the AWS recommended configuration for provisioning access to a third-party, ByteChek connects to your AWS account using an IAM cross-account access role. Cross account access allows the ByteChek platform to access AWS resources without sharing AWS security credentials. Instead of sharing sensitive information such as IAM User credentials or access keys, a role allows ByteChek to assume a role that you create in your AWS account.
You’re provisioning access to ByteChek as a Trusted Entity. A Trusted Entity is an object from outside of your AWS Account which is allowed to gain access to a resource within your account. The resource ByteChek is accessing is the IAM role, your organization provisions. This IAM role will only have the permissions you explicitly grant through the use of IAM policies. ByteChek recommends using the AWS Managed Security Audit Policy for this role as well as the AWS Support Access policy so our platform can refresh AWS Trusted Advisor checks. However, your organization is able to modify this read-only policy as you see fit - if our permissions are limited beyond what is allowed in the above policies, the ByteChek Engine may not be able to check certain controls.
As a reminder, the ByteChek platform will only have permissions explicitly granted by your organization.