Hello all,
I’m trying to introduce Datomic Cloud into an enterprise environment. My coworkers are interested, but there are some security/compliance constraints in place that limit the amount of things we can do in our AWS account. These include:
- We cannot create our own VPC
- We must use provided subnets
- Internet traffic from the VPC has to go through a forward proxy
- We might be required to use specific hardened AMI’s
I have looked through the CloudFormation template to see if it can be tweaked for our specific environment. My questions would be:
- Is manually altering the CloudFormation templates a reasonable solution
- What can be adjusted to ensure Datomic will run properly
- Can we ask for a support team to help us setting it up for our specific environment
I understand this question is a bit loaded, but I’m hoping to have a starting point for us and others wanting to run Datomic in similar enterprisey infrastructures.
We would be happy to discuss some of these particulars with you, however several of them are likely to be difficult, if not impossible, to resolve.
In particular, the Datomic Cloud AMI is generated by AWS Marketplace and handles hourly monitoring for billing purposes and can’t be altered.
The reason Datomic creates a new VPC is to ensure that settings and configurations are correct for the proper functioning of the system. You may be able to manually adjust the CFTs to achieve your desired deployment, but your resulting system will likely be incompatible with straightforward “Update Stack” upgrades to future releases of Datomic.
Datomic’s deployment model is designed to follow AWS’ best practices regarding security and isolation, including isolating the Datomic system in a separate VPC and managing all incoming traffic to that VPC. Datomic’s defaults may be a good fit for a security-conscious system, would it be possible to evaluate the possibility of using it as-is?
Just an update on this.
It took some diplomacy, but we are now running in an AWS account that is more permissive and are able to run Datomic Cloud with minor adjustments to the supplied CloudFormation templates. Specifically, the adjustments are:
- Adding a PermissionsBoundary to every IAM role
- Removing all the EC2 KeyPairs
The KeyName is optional for the LaunchConfiguration and it doesn’t seem Datomic uses them, so I’m not sure why the template requires them. If Datomic requires it in the future, this could be an issue for us.
In any case, I’m happy we are able to run it now.