Satori AWS Deployment Guide
The Satori secure data access platform consists of two main components:
- The Satori management console (https://app.satoricyber.com) - a SaaS application hosted on GCP.
- The Satori data access controller (DAC) - a Kubernetes application that is either consumed as a service or deployed on an AWS Elastic Kubernetes Service (EKS) inside the customer VPC.
Customers deploy a DAC in the same public cloud region as the data stores the DAC protects. For example, customers using Redshift on AWS us-east-2 should deploy a DAC in a VPC on AWS us-east-2.
The DAC is accessed by users using a dedicated hostname for each data store the DAC protects. For example, to access the Redshift cluster at
cluster1.cxjks.us-east-2.redshift.amazonaws.com, data consumers will instead connect to
cluster1.cxjks.us-east-2.ksjd.satoricyber.net. The new hostname resolves to an internal-facing load-balancer that routes traffic to the Satori DAC inside the EKS cluster.
Each DAC connects to the management console to read configuration data and to report telemetry and metadata on data access. For a complete list of data elements being reported refer to Appendix A.
Satori is designed to run on Elastic Kubernetes Service and requires a cluster with Kubernetes version v1.15.
Custom Resource Definitions and Cert Manager
Some of the components of Satori rely on cert-manager to generate TLS keypairs to encrypt network traffic in the cluster. To deploy cert-manager in the cluster apply the following:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
Outbound Network Access
- HTTPS on port 443 to
source.developers.google.com- this is the git repository where the management console stores the configuration files for the DAC. Each DAC has its own dedicated repository with separate credentials.
- HTTPS on port 443 to Google BigQuery on us-east1 - this is where data access metadata is uploaded to be accessible in the management console.
- HTTPS on port 443 to
cortex.satoricyber.net- this is where product telemetry (metrics) are uploaded to.
The deployment process relies on the following tools to be available:
- Python 3
- Helm 3
The Satori DAC is composed of two main workloads:
- Proxy and analysis engines - these components process traffic between data consumers and data stores.
- The peripheral infrastructure that supports processing the traffic
|m5.large||N+1||Traffic processing. Each server can process up to 20 MB/s of traffic. N = (expected traffic throughput in MB/s) / 20. For example, to process 50 MB/s of data traffic: N=50/20 = 2.5 and N+1 = 3.5 → 4 servers would be required|
Step by Step Instructions
Satori provides customers with a deployment package that contains a helm chart that is pre-configured for the customer and the cloud region.
pip3 install -r requirements.txt python3 satori.py deploy