How is security implemented in AWS Blu Insights?

Security is a core pillar of AWS Blu Insights. See this page to discover what has been implemented to protect you and your data.


Which Regions does AWS Blu Insights support?

AWS Blu Insights is a global service (not related to a specific region) and is accessible anywhere.


Has AWS Blu Insights been accredited to any security standards?

AWS Blu Insights benefits, like other AWS services, from internal audits made at the infrastructure level (e.g. check resources configuration), at the software stack level (e.g. check library dependencies and vulnerabilities). AWS Blu Insights frequently goes through AppSec reviews made by security experts. We also regularly perform Penetration Tests. Third-party auditors assess the security and compliance of AWS Blu Insights new features, based on AWS security standards.


Is there an automated JML process to manage JML -Joiners, Movers, Leavers- on AWS Blu Insights?

The customer manages and controls JML process based on their AWS accounts. In addition, AWS Blu Insights accounts get disabled within 30 days of inactivity.




How does AWS Blu Insights encrypt my data?

We keep all data in AWS Blu Insights encrypted at rest and in transit. AWS Blu Insights configures server-side encryption (SSE) on all dependent resources that store data (disks/volumes and databases). AWS Blu Insights also uses HTTPS to encrypt the service APIs.


Are projects and services encrypted with unique KMS keys or is a shared encryption key used?

A shared KMS encryption key is used.


How are the AWS Blu Insights keys managed? How is access to these keys protected and restricted?

AWS Blu Insights keys are mainly managed with AWS KMS and restricted with IAM roles with the least privilege.


What Transport encryption versions does AWS Blu Insights use?

AWS Blu Insights uses HTTPS to access to and supports both TLS 1.2 and TLS 1.3. All internal transports in the AWS Blu Insights infrastructure are encrypted with TLS 1.2 everywhere.


What encryption ciphers are used to encrypt data at rest?

AES-GCM 256bits is used to encrypt data at rest.


What is the rotation interval for AWS Blu Insights encryption keys?

Yearly. It is automatically managed by KMS.


Is backup data appropriately encrypted?



How often solution services and components are patched?

AWS Blu Insights mainly relies on native AWS services (EFS, ECS, ECR, etc.) which are scanned and patched with respect to the AWS security policy.


Access control


What Multi-factor authentication (MFA) is implemented in AWS Blu Insights (for legacy accounts)?

AWS Blu Insights uses two factor authentication: email/password and a time-based token (TOTP) generated using an authenticator application (e.g.: Google Authenticator) for every user.


Is MFA required for all user accounts?

It is only required for legacy accounts that don’t use the AWS Console Single-Sign-On.


Which are the supported options for authentication with AWS Blu Insights (e.g. ADFS / Azure AD / SAML)?

Any if usable with the AWS Console.


What is the hashing algorithm in use for passwords (for legacy accounts)?

The bcrypt algorithm is used to hash passwords.


How frequent are the enforced password changes (for legacy accounts)?

30 days.


Does AWS Blu Insights log all user access?



How does AWS Blu Insights restrict user permissions?

Controls are made both on front-end and back-end layers every time a user tries to access to a resource, service, data, etc. We rely on thousands of business rules and Spring Security. In addition, AWS Blu Insights creates dedicated temporary containers on which the analysis runs isolated per project/customer.


Which user permissions can I control in AWS Blu Insights?

AWS Blu Insights offers flexible data access control setup by allowing project owners to configure customized access roles, with more than 50 different permissions for user actions in AWS Blu Insights, and can be used to specify user access levels to certain features, actions and content. The People and Permissions documentation details how to manage this.


Who can delete a project?

Project creators decide who can do that based on Profiles.


Are there any functions to auto-delete the data in AWS Blu Insights (e.g. when the expiration date is reached or when there is no operation for a certain period)?

No. You have to do it manually. The content is yours and you have full control over it.


Data privacy


Do I need to upload my source code to AWS Blu Insights?

Yes. You need to upload the source code of the legacy applications to be modernized. You will have full control over who can view it.


Do I need to upload sensitive or private data to AWS Blu Insights?

No. Don’t do that. The data needed for the modernization project (usually test cases) does not need to be uploaded to AWS Blu Insights.


Can data and metadata (such as reports) be exported?

AWS Blu Insights allows to export data and reports in XLSX format. However, only users allowed by the project owner can do that.


Who has access to my uploaded source code?

A AWS Blu Insights project owner manages and controls individual user rights by granting specific types of user permissions.


Is it possible for AWS Blu Insights staff to access my data?

The SecOps team (part of the service team) does not access customer data. They access the infrastructure but not customers data i.e. their access is limited through an IAM role and security groups related to a bastion.


Is there no way to pick up any data from AWS Blu Insights where our programs are stored to outside?

You decide who can do what on your projects (see People and Permissions documentation).


Do my actions run on a dedicated or multi-tenant infrastructure? How does AWS Blu Insights isolate runs of other customers?

AWS Blu Insights is a multi-tenant SaaS application. Even though customers are partially sharing a common IT infrastructure, their projects/contents are isolated so that the actions of one tenant cannot compromise the data or service of another tenant.


Is my data backed up in case of an emergency?

Yes, data is backed up daily and we can perform a full backup recovery in case of a system-wide emergency.


What service is used to create and store the backups created by BluInsights?

AWS Backup.


Can I delete my data and their backups?

Yes, when you request a deletion of your content, AWS Blu Insights will delete them with their backups almost immediately (within a few minutes for the content, and within 24 hours for their backups).


Who can download my project artifacts?

Owners of the project controls downloads authorizations among all team members.

  • Shared Spaces:
    • The owner of the Shared Space determines if users can download its content or not through the “Download” authorization.
  • Codebase:
    • The owner of the project can manage, through user profiles on the “ People” page, the following authorizations:
      • Download source code
      • Export reports
    • For Codebase projects created from Shared Spaces, if the “Download” permission is disabled on the Shared Space, it will override the profiles’ permissions.
  • Versions Manager:
    • The invited users keep the “Download source code” and “Export reports” permissions they have on the reference Codebase project.
  • Transformation Center:
    • The invited users keep the “Download source code” and “Export reports” permissions they have on the reference Codebase project.
    • A new “Download outputs” permission can be given to invited users.


How long my source code will be stored on AWS Blu Insights?

Customers decide to keep or delete their projects on AWS Blu Insights.


Please describe all the AWS and non-AWS services that are used to store customers data.

AWS Blu Insights relies only on native AWS services, i.e. EFS, Aurora and AWS Backup.


Which technical controls are used to segregate customers data on AWS Blu Insights services?

Multiple hardware and software layers including but not limited to different disk partitions, different isolated containers, JWT tokens, etc. More details are available at




How is network security monitored?

AWS Blu Insights identifies threats by monitoring the network activity and platform behavior (Logs/Audits and Incident Response are configured).


Does AWS Blu Insights implement an IP filtering mechanism?

Yes, using a WAF.


Are there any solutions in place to deal with DDoS?

There is a limitation on the number of requests per IP.


Is there a network perimeter/Firewalls to protect the overall service and restrict external user connectivity to specified ports and protocols?



How can customers restrict their employees accessing the AWS Blu Insights portal from only corporate networks?

Customers manages the AWS accounts of their employees.


Security operations


Does AWS Blu Insights include an activity report?

Yes. AWS Blu Insights logs project events that can be consulted by allowed team members in the activities feed and in email reports (see Notifications management).


What are the activities captured in the application logs?

All the actions performed by the project team members.


Can you share the project activities with the customer?

Application logs are accessible directly in the AWS Blu Insights project.


Can security logs be viewed in real time?

Yes, they can be viewed in CloudWatch in real time (not by AWS Blu Insights but by the service team).


Are security logs available for export?



Can you confirm that all user activities are logged?



Can log files be changed or deleted by users?



What audit logs are captured by the service team?

  • Access to projects
  • Failed Login tentatives
  • Email notifications sent by the service
  • Analysis status


What is the retention period for audit logs?

10 years (similar to all AWS services)


By whom and how are audit logs monitored and reviewed?

The AWS service team using CloudTrail, Cloudwatch…


Does AWS Blu Insights provides the capability of setting alerts on suspicious login (e.g. location, time) and data access (e.g. batch access).

Access to AWS Blu Insights is done through AWS accounts fully managed by the customer.


Is it possible for log files to be provided as a feed to a customer?