Accurics follows the Amazon recommended best practices for architecture. Accurics uses some AWS cloud native services and deploys its microservices on the ECS Fargate.
The following diagram displays the Accurics deployment on AWS.
The Accurics deployment is categorised as follows :
AWS Native Services
|VPC||Accurics microservices and databases are deployed within a VPC dedicated to Accurics. This ensures that Accurics components are isolated from other customer-specific deployments.|
|Public and Private Subnets||The Accurics microservices are placed in a private subnet and can only be accessed through the internet gateway and application load balancer, which are placed in the public subnet.|
|IG, ALB, and NAT Gateway||The Accurics microservices initiate network communication with external resources via the NAT gateway and receive traffic from the internet via the Application Load Balancer that is in the public subnet.|
|Amazon Fargate||The Accurics microservices are packaged in Docker containers. Fargate is used as a compute engine for containers. All the Accurics containers are coupled and use Task Networking for best performance. By default, two tasks are launched. Customers can increase the number of tasks for better performance if the number of resources to be processed is more than the prescribed number.|
|RDS – PostgreSQL||Accurics uses two databases created in PostgreSQL. One database is used for storing resources metadata, processed information, and static – product-specific details. The other database stores the events used for alerting purposes. The data-store is being optimized and will get consolidated into one database in the upcoming releases.|
|S3 Buckets||S3 buckets are used for two purposes 1) Store the state file for accuracy’s own deployment in the cloud 2) A temporary store for processing policy and drift assessment.|
All the Accurics microservices are docker containers deployed as part of one or more tasks.
|SIAC||SIAC (Secure Infrastructure as Code) plays the role of an API gateway and a task orchestrator. SIAC receives the API calls and orchestrates the operations across other microservices.|
|SIAC – UI||SIAC – UI generates the web pages for the Accurics Web console and communicates with SIAC.|
|Code Provider||The Accurics code provider has implementations for specific IaC technologies, such as Terraform Provider, Ansible Provider, etc. The Code Provider scans the source code and converts it into a platform-independent proprietary format. This data is then, processed for potential policy and security violations.|
|Cloud Provider||Cloud Providers are cloud specific implementations, such as AWS Provider, GCP Provider, and so on. The cloud providers use your cloud credentials or roles to connect to cloud accounts and read resource metadata to convert into code. This is then, converted into a platform-independent format for processing policy and security violations.|
|Cloud CMDB||Cloud CMDB maintains historical and current information about the resources in code and cloud. It also maintains historical references to policy violations and configuration drifts. For every resource, the references to other dependent resources and topology information, and so on. are acquired and deduced based on code and cloud analysis. The CMDB data is analyzed to build intelligence about the potential breach path.|
Accurics CLI helps you to perform deployment validation of the code. The Accurics CLI can be used on a developer’s machine to scan for violations by connecting to Accurics APIs.
Accurics CLI is supported on macOS, Linux, and Windows. CLI is configured by acquiring an application token from the Web Console and accepts the SIAC ALB URL and the Accurics Environment as its initial configuration.
See Accurics CLI for information on installing and using the CLI.
Accurics On-prem Broker
You can use the Accurics Broker if your source code repositories are deployed behind a firewall on a local network. The Broker functions like the Accurics CLI but operates out of a docker container. The Broker authenticates with the on-premises Bitbucket, GitHub, or Gitlab server through various means such as the Personal Access Token, Service Account, or through third-party integration using Single Sign On (SSO).