Arcus-allocated cloudspaces have many security features included out of the box including:
- Credentials that are scoped to your cloudspace and easy to rotate
- Networks available to only your cloudspace
- A cloudspace boundary which includes firewalls, network/port address translation (NAT/PAT), and edge gateways
- Secure remote access (RDP, VNC, or SSH) using your Arcus account credentials
All this combines to create a secure cloudspace out-of-the-box for your team whether you choose AWS, Azure, Openstack, or vCloud
Enable Additional Cloudspace Security
If you are a Team Manager, you can enable the additional cloudspace security on your cloudspace:
- Click Cloudspaces on the main menu
- Select your cloudspace
- At the top right click …Actions, and click Apply Cloudspace Security
- Please wait while the additional security features are enabled on your cloudspace, it may take a few minutes
- When complete, your cloudspace will display “Lock” icon next to the cloudspace name
If your Team owns a Cloud, then you can enable these features for your Cloud. Click here for details.
Arcus AWS Cloudspaces
Arcus AWS cloudspace allocation and security configuration is a fully automated process. Out of the gate Arcus creates for you:
- An IAM role, group, user, and a policy scoping access to only the required resources
- Access keys for the IAM user that are easily rotatable
- A VPC with an Internet gateway
- A private Subnet for each network
- A public Subnet and NAT instance for each routable network
- Network ACLs attached to each subnet for additional lockdown
- Routing tables directing traffic for each subnet
- Firewall automatically created on the NAT instances
- Security Groups automatically applied to NAT instances, implementing network firewall rules on each EC2 instance network interface
- An Elastic IP attached to the cons3rt-net
When enabling Additional Cloudspace Security on your AWS cloudspaces, Arcus will:
- Create of a secure S3 bucket to capture logs
- Enable CloudTrail logging on actions in the VPC
- Create of a configuration for capturing CloudTrail logs in the S3 buckets
- Automated rotation of account credentials for the system accounts created
- Application of AWS Config for automated ongoing audit of configuration (currently 29 rules)
Arcus Azure Cloudspaces
Arcus Azure cloudspace allocation and security configuration is a fully automated process. Out of the gate Arcus creates for you:
- A private Resource Group
- A private Storage Account
- A private Virtual Network with a private Subnet for each network
- A NAT instance for each routable network
- Firewall automatically created on the NAT instances
- Routing tables directing traffic for each subnet
- Network Security Groups automatically applied to NAT instances, and Network Interfaces attached to each virtual machine (VM)
- A Public IP Address for the cons3rt-net, and each additional routable network
When enabling Additional Cloudspace Security on your Azure cloudspaces, Arcus will:
- Create of a secure Blog Storage location to capture logs
- Enable Flow Logs logging on actions in the VirtualNet
- Create of a configuration for capturing Flow Logs in the Blog Storage
- Automated rotation of account credentials for the system accounts created
- Application of Azure Policy for automated ongoing audit of configuration (currently one Policy Initiative with 77 policy definitions)
Note: Enabling additional cloudspace security in either provider incurs additional fees for logs collection and storage