How is Volumez secured?
  • 18 Jul 2024
  • 2 Minutes to read
  • Dark
    Light

How is Volumez secured?

  • Dark
    Light

Article summary

Data in flight

How does Volumez protect data in transit (for user-to-website communication and between the connector and Volumez service)?

With Volumez, all data in transit is fully encrypted using industry-standard security protocols. We ensure the highest level of security for user-to-website communication and communication between the connector and the Volumez service. To achieve this, we employ HTTPS and TLS 1.3 for all data transmission, providing robust encryption to safeguard the information as it travels between endpoints.

Additionally, authentication is carried out using standard JWT (JSON Web Token) tokens, ensuring secure and authorized access to the services. All communication is initiated from the customer's site or tenant, adding an extra layer of control and security.

At Volumez, we take data protection seriously, and our commitment to following established security best practices helps maintain the confidentiality and integrity of your data during its journey from your system to our service.

Is there any type of inbound communication with Volumez, where the Volumez service accesses my own tenant?

No, all communication schemes are based on outbound communication, where the session is initiated from the customer site.

What is the frequency of exchanging encryption keys for the internal messaging services in use by Volumez?

All encryption keys are changed every 24 hours.

Data at rest

Does Volumez use encryption to protect the data collected from the media and application nodes?

Yes, all data collected is stored securely in encrypted tables. 

How does Volumez protect customer accounts and private data?

We prioritize the security of our customers' accounts and private data by employing multiple measures, including the use of Amazon Cognito—a robust and industry-standard solution. Amazon Cognito is used for user authentication, enabling secure access to Volumez services while managing user profiles efficiently.

What private data is kept on Volumez records?

Refer to our Privacy Policy here.

Permissions

What permissions are required in my account in order to use Volumez?

AWS

To allow the Volumez service to create the required resources within your AWS environment, you must set up permissions in AWS Identity and Access Management (IAM).

  1. Enable the following action in an IAM policy:

    Resources:
      CrossAccountRole:
        Type: "AWS::IAM::Role"
        Properties:
          RoleName: "VolumezAutoProvisioningRole"
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                  AWS:
                    - "arn:aws:iam::225810133168:root"
                Action:
                  - "sts:AssumeRole"
          Policies:
            - PolicyName: "VolumezAutoProvisioningEC2Policy"
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: Allow
                    Action:
                      - ec2:UpdateSecurityGroupRuleDescriptionsIngress
                      - cloudformation:CreateStack
                    Resource:
                      - "arn:aws:cloudformation:*:*:stack/volumez*"
                      - "arn:aws:ec2:*:*:*/volumez*"
     
                  - Effect: Allow
                    Action:
                      - ec2:CreateTags
                      - ec2:CreateSecurityGroup
                      - ec2:RunInstances
                      - ec2:CreateLaunchTemplate
                      - ec2:CreateLaunchTemplateVersion
                    Resource:
                      - "arn:aws:ec2:*:*:instance/*"
                      - "arn:aws:ec2:*:*:security-group/*"
                      - "arn:aws:ec2:*:*:launch-template*"
                    Condition:
                      StringEquals:
                        aws:RequestTag/CreatedBy:
                          - "volumez"
     
                  - Effect: Allow
                    Action:
                      - ec2:CreateSecurityGroup
                      - ec2:RunInstances
                    NotResource:
                      - "arn:aws:ec2:*:*:instance/*"
                      - "arn:aws:ec2:*:*:security-group/*"
     
                  - Effect: Allow
                    Action:
                      - ec2:AuthorizeSecurityGroupEgress
                      - ec2:AuthorizeSecurityGroupIngress
                      - ec2:DeleteSecurityGroup
                      - ec2:TerminateInstances
                      - ec2:RevokeSecurityGroupEgress
                      - ec2:DescribeInstanceStatus
                      - ec2:DescribeImages
                      - ec2:RunInstances
                      - ec2:CreateLaunchTemplateVersion
                    Resource:
                      - "*"
                    Condition:
                      StringEquals:
                        aws:ResourceTag/CreatedBy:
                          - "volumez"
     
                  - Effect: Allow
                    Action:
                      - ec2:DescribeLaunchTemplateVersions
                      - ec2:DescribeSecurityGroups
                      - ec2:DescribeLaunchTemplates
                      - ec2:DescribeRegions
                      - ec2:DescribeAvailabilityZones
                      - ec2:DescribeVpcs
                      - ec2:DescribeInstanceTypes
                      - ec2:DescribeSubnets
                      - ec2:DescribeKeyPairs
                      - ec2:DescribeTags
                      - ec2:DescribeInstanceCreditSpecifications
                      - ec2:DescribeInstances
                      - ec2:DescribeInstanceAttribute
                      - ec2:DescribeNetworkInterfaces
                      - ec2:DescribeVolumes
                      - ec2:DescribeLaunchTemplateVersions
                      - cloudformation:GetResource
                      - cloudformation:GetResourceRequestStatus
                      - cloudformation:CreateResource
                      - cloudformation:DeleteResource
                    Resource: "*"
     
    Outputs:
      RoleARN:
        Description: "The ARN of the role that was created."
        Value: !GetAtt CrossAccountRole.Arn
  2. Create an IAM role which is associated with these actions.

See more details here.

Azure

The following actions are required to manage resources by Volumez.

"Microsoft.Compute/virtualMachines/write", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/read"

We use app registration and associate it with a custom role that has permissions for these actions.

See more details here.


Was this article helpful?

What's Next