Skip to content

Satori AWS Deployment Guide

Introduction

The Satori secure data access platform consists of two main components:

  • The Satori management console (https://app.satoricyber.com) - a SaaS application hosted on GCP.
  • The Satori data access controller (DAC) - a Kubernetes application that is either consumed as a service or deployed on an AWS Elastic Kubernetes Service (EKS) inside the customer VPC.

Customers deploy a DAC in the same public cloud region as the data stores the DAC protects. For example, customers using Redshift on AWS us-east-2 should deploy a DAC in a VPC on AWS us-east-2.

Screenshot

The DAC is accessed by users using a dedicated hostname for each data store the DAC protects. For example, to access the Redshift cluster at cluster1.cxjks.us-east-2.redshift.amazonaws.com, data consumers will instead connect to cluster1.cxjks.us-east-2.ksjd.satoricyber.net. The new hostname resolves to an internal-facing load-balancer that routes traffic to the Satori DAC inside the EKS cluster.

Each DAC connects to the management console to read configuration data and to report telemetry and metadata on data access. For a complete list of data elements being reported refer to Appendix A.

Prerequisites

Kubernetes

Kubernetes Cluster

Satori is designed to run on Elastic Kubernetes Service and requires a cluster with Kubernetes version v1.15.

Custom Resource Definitions and Cert Manager

Some of the components of Satori rely on cert-manager to generate TLS keypairs to encrypt network traffic in the cluster. To deploy cert-manager in the cluster apply the following:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml

Outbound Network Access

  • HTTPS on port 443 to source.developers.google.com - this is the git repository where the management console stores the configuration files for the DAC. Each DAC has its own dedicated repository with separate credentials.
  • HTTPS on port 443 to Google BigQuery on us-east1 - this is where data access metadata is uploaded to be accessible in the management console.
  • HTTPS on port 443 to cortex.satoricyber.net - this is where product telemetry (metrics) are uploaded to.

Deployment Client

The deployment process relies on the following tools to be available:

  • Python 3
  • Helm 3

Resource Requirements

The Satori DAC is composed of two main workloads:

  • Proxy and analysis engines - these components process traffic between data consumers and data stores.
  • The peripheral infrastructure that supports processing the traffic
Server Type Quantity Purpose
m5.large 2 Peripheral infrastructure
m5.large N+1 Traffic processing. Each server can process up to 20 MB/s of traffic. N = (expected traffic throughput in MB/s) / 20. For example, to process 50 MB/s of data traffic: N=50/20 = 2.5 and N+1 = 3.5 → 4 servers would be required

Step by Step Instructions

Satori provides customers with a deployment package that contains a helm chart that is pre-configured for the customer and the cloud region.

pip3 install -r requirements.txt
python3 satori.py deploy