AWS Blu Insights

Security

General

How is security implemented in AWS Blu Insights?
Security is a core pillar of AWS Blu Insights. Read this FAQ and see this page to discover what has been implemented to protect you and your data.

Is AWS Blu Insights protected from malware and viruses?
All uploaded files are scanned using updated antivirus software to prevent and detect any malware or viruses from infiltrating the system.

Which Regions does AWS Blu Insights support?
AWS Blu Insights is a global service (not related to a specific region) and is accessible anywhere.

Has AWS Blu Insights been accredited to any security standards?
AWS Blu Insights benefits, like other AWS services, from internal audits made at the infrastructure level (e.g. check resources configuration), at the software stack level (e.g. check library dependencies and vulnerabilities). AWS Blu Insights frequently goes through AppSec reviews made by security experts. We also regularly perform Penetration Tests. Third-party auditors assess the security and compliance of AWS Blu Insights new features, based on AWS security standards.

Is there an automated JML process to manage JML -Joiners, Movers, Leavers- on AWS Blu Insights?
The customer manages and controls JML process based on their AWS accounts. In addition, AWS Blu Insights accounts get disabled within 30 days of inactivity.

Encryption

How does AWS Blu Insights encrypt my data?
We keep all data in AWS Blu Insights encrypted at rest and in transit. AWS Blu Insights configures server-side encryption (SSE) on all dependent resources that store data (disks/volumes and databases). AWS Blu Insights also uses HTTPS to encrypt the service APIs.

Are projects and services encrypted with unique KMS keys or is a shared encryption key used?
A shared KMS encryption key is used.

How are the AWS Blu Insights keys managed? How is access to these keys protected and restricted?
AWS Blu Insights keys are mainly managed with AWS KMS and restricted with IAM roles with the least privilege.

What Transport encryption versions does AWS Blu Insights use?
AWS Blu Insights uses HTTPS to access to bluinsights.aws and supports both TLS 1.2 and TLS 1.3. All internal transports in the AWS Blu Insights infrastructure are encrypted with TLS 1.2 everywhere.

What encryption ciphers are used to encrypt data at rest?
AES-GCM 256 bits is used to encrypt data at rest.

What is the rotation interval for AWS Blu Insights encryption keys?
Yearly. It is automatically managed by KMS. Key rotation is monitored. A ticket is automatically raised in case the rotation does not occur.

Is backup data appropriately encrypted?
Yes.

How often solution services and components are patched?
AWS Blu Insights mainly relies on native AWS services (EFS, ECS, ECR, etc.) which are scanned and patched with respect to the AWS security policy.

Access control

Does AWS Blu Insights log all user access?
Yes.

How does AWS Blu Insights restrict user permissions?
Controls are made both on front-end and back-end layers every time a user tries to access to a resource, service, data, etc. We rely on thousands of business rules and Spring Security. In addition, AWS Blu Insights creates dedicated temporary containers on which the analysis runs isolated per project/customer.

Which user permissions can I control in AWS Blu Insights?
AWS Blu Insights offers flexible data access control setup by allowing project owners to configure customized access roles, with more than 50 different permissions for user actions in AWS Blu Insights, and can be used to specify user access levels to certain features, actions and content. The People and Permissions documentation details how to manage this.

Who can delete a project?
Project creators decide who can do that based on Profiles.

Are there any functions to auto-delete the data in AWS Blu Insights (e.g. when the expiration date is reached or when there is no operation for a certain period)?
No. You have to do it manually. The content is yours and you have full control over it.

Data privacy

Do I need to upload my source code to AWS Blu Insights?
Yes. You need to upload the source code of the legacy applications to be modernized. You will have full control over who can view it.

Do I need to upload sensitive or private data to AWS Blu Insights?
No. Don’t do that. The data needed for the modernization project (usually test cases) does not need to be uploaded to AWS Blu Insights.

Can data and metadata (such as reports) be exported?
AWS Blu Insights allows to export data and reports in XLSX format. However, only users allowed by the project owner can do that.

Who has access to my uploaded source code?
A Blu Insights project owner manages and controls individual user rights by granting specific types of user permissions.

Is it possible for AWS Blu Insights staff to access my data?
The SecOps team (part of the service team) does not access customer data. They access the infrastructure but not customers data i.e. their access is limited through an IAM role and security groups related to a bastion.

Is there no way to pick up any data from AWS Blu Insights where our programs are stored to outside?
You decide who can do what on your projects (see People and Permissions documentation).

Do my actions run on a dedicated or multi-tenant infrastructure? How does AWS Blu Insights isolate runs of other customers?
AWS Blu Insights is a multi-tenant SaaS application. Even though customers are partially sharing a common IT infrastructure, their projects/contents are isolated so that the actions of one tenant cannot compromise the data or service of another tenant.
Concretely, Customer data are stored in a dedicated folder within AWS EFS, and each customer has their own individual folder Access to customer’s folder in EFS is protected at the application level by using JWT, Spring Security and business rules.

Is my data backed up in case of an emergency?
Yes, data is backed up daily and we can perform a full backup recovery in case of a system-wide emergency.

What service is used to create and store the backups created by Blu Insights?
AWS Backup.

Can I delete my data and their backups?
Yes, when you request a deletion of your content, AWS Blu Insights will delete them with their backups almost immediately (within a few minutes for the content, and within 24 hours for their backups).

Who can download my project artifacts?
All the download rights are described here.

How long my source code will be stored on AWS Blu Insights?
Customers decide to keep or delete their projects on AWS Blu Insights.

Please describe all the AWS and non-AWS services that are used to store customers data.
AWS Blu Insights relies only on native AWS services, i.e. EFS, Aurora and AWS Backup.

Which technical controls are used to segregate customers data on AWS Blu Insights services?
Multiple hardware and software layers including but not limited to different disk partitions, different isolated containers, JWT tokens, etc. More details are available at Security

Network

How is network security monitored?
AWS Blu Insights identifies threats by monitoring the network activity and platform behavior (Logs/Audits and Incident Response are configured).

Does AWS Blu Insights implement an IP filtering mechanism?
Yes, using a WAF.

Are there any solutions in place to deal with DDoS?
There is a limitation on the number of requests per IP.

Is there a network perimeter/Firewalls to protect the overall service and restrict external user connectivity to specified ports and protocols?
Yes. Inbound access is restricted to only necessary traffic from allowed IP addresses. Network access from outside is only allowed to the Blu Insights portal. Other traffic is totally prohibited.

How can customers restrict their employees accessing the AWS Blu Insights portal from only corporate networks?
Customers manages the AWS accounts of their employees.

Security operations

Does AWS Blu Insights include an activity report?
Yes. AWS Blu Insights logs project events that can be consulted by allowed team members in the activities feed and in email reports (see Notifications management).

What are the activities captured in the application logs?
All the actions performed by the project team members.

Can you share the project activities with the customer?
Application logs are accessible directly in the AWS Blu Insights project.

Can security logs be viewed in real time?
Yes, they can be viewed in CloudWatch in real time (not by AWS Blu Insights users but by the service team). As a reminder, the infrastructure belongs to the service.

Are security logs available for export?
No.

Can you confirm that all user activities are logged?
Yes.

Can log files be changed or deleted by users?
No.

What audit logs are captured by the service team?

  • Access to projects
  • Failed Login tentatives
  • Email notifications sent by the service
  • Analysis status

What is the retention period for audit logs?
10 years (similar to all AWS services)

By whom and how are audit logs monitored and reviewed?
By the AWS service team using the following AWS services:

  • CloudWatch to monitor the status of EFS file system.
  • AWS CloudTrail to provide records of all AWS services API activities, including EFS, performed by any role, or an AWS Service.
  • AWS VPC Flow Logs to record traffic metadata within the VPC.
  • AWS GuardDuty and AWS Security Hub for continuous monitoring of AWS CloudTrail event logs, VPC Flow Logs.
  • Guardrails to prevent modification and disallow changes of buckets storing the activity logs.

Does AWS Blu Insights provides the capability of setting alerts on suspicious login (e.g. location, time) and data access (e.g. batch access).
Access to AWS Blu Insights is done through AWS accounts fully managed by the customer.

Is it possible for log files to be provided as a feed to a customer?
No.