Securing studio IP in AWS: Cloud-based VFX project management with Autodesk Shotgun

In this blog post, we walk you through the architecture of Autodesk Shotgun Private Cloud, a cloud-based VFX Project Management application running on AWS. Autodesk Shotgun simplifies creative project management and unifies visual effects (VFX), animation, and games teams of all sizes. Shotgun is a scalable on-demand platform that can support just a few users to thousands—used by 1000+ studios globally to track millions of tasks each day. Via this walk-through of Shotgun Private Cloud SaaS application, we reveal how you can secure your products and applications in AWS Cloud using native AWS security services and features to build a robust SaaS application that addresses the stringent security needs of your customers.

In the media and entertainment industry, security is critical for all studios and customers. Because the security landscape is so important and ever-changing, world-class protection and dependability are central to Shotgun’s operations. So when Shotgun decided to launch its enterprise cloud platform on AWS, security was paramount to the design. Our goal was to provide the largest studios and enterprise users the same confidence to collaborate in a closed-network pipeline as they have with an on-premise installation. Over the past two years, we have worked closely with AWS to develop their cloud offering.

“AWS security services and features evolved our client cloud migration discussions from “why” to “when”. Shotgun Private Cloud offers the best of both worlds: scalability and ease of use of SaaS while allowing clients full control of their sensitive content.” Guillaume Brossard, Engineering Manager at Autodesk Inc

To give some background, Autodesk is a leader in 3D design, engineering, and entertainment software. Autodesk makes software for people who make things. If you’ve ever driven a high-performance car, admired a towering skyscraper, used a smartphone, or watched a great film, chances are that you’ve experienced what millions of Autodesk customers are doing with their software.

Autodesk has been an AWS Partner Network Advanced Technology Partner for more than six years, enabling customers to leverage the benefits of cloud computing technology to design, engineer, and build products in the entertainment, manufacturing, and construction industries. An “all-in” customer of AWS, Autodesk chose it as their preferred platform to host Shotgun Private Cloud because of its best-in-class performance, security, reliability, services, and features. Later in the blog we’ll show you how Shotgun leverages specific AWS security and database services to achieve their design goals. 

It was important to ensure that the architecture of the Shotgun Private Cloud satisfy the security needs of some of the biggest studios around the world who require the most stringent standards for protecting sensitive studio Intellectual Property (IP). It was also imperative that Shotgun traffic be isolated from the public internet, which has been achieved with AWS PrivateLink service. To that end, AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity—between Amazon VPC, AWS services, and on-premises applications—securely on the Amazon network. It enables studios to securely connect their own application services on AWS by creating their own AWS PrivateLink-powered service (endpoint service), enabling other AWS customers secure access to it. Since traffic between a studio’s VPC and any one of these services does not leave the Amazon network, an Internet gateway, NAT device, public IP address, or VPN connection is no longer needed.

From here on out we will refer to Shotgun Cloud for Enterprise with Private Networking and Media Isolation offering as Shotgun Private Cloud.

AWS PrivateLink Solution

This is a high-level architecture diagram of the implementation of Autodesk’s Shotgun Private Cloud:

Below are the steps on how Shotgun Private Cloud PrivateLink endpoint service was created and secured (numbers in yellow above):

1. Shotgun Private Cloud is fronted by an Application Load Balancer in an Autodesk’s private multi-tenant microservices hosting shared AWS account. This private application load balancer is then fronted by a Network Load Balancer in a Shotgun specific AWS account. 
2. The Network Load Balancer is configured for each subnet (Availability Zone) in which the service would be available in the Shotgun’s VPC. The subnets, by design, are all set to be private. 
3. Shotgun’s private Network Load Balancer is configured to be the endpoint for AWS PrivateLink configuration in the VPC powered AWS PrivateLink.

These are the specific steps Shotgun takes to ensure only authorized service consumers are allowed to connect to the service:

• Shotgun administrators grant permissions to specific service consumers (AWS accounts, IAM users, and IAM roles) to create a connection to Shotgun endpoint service. 
• A service consumer, such as a studio whose account has been granted permissions, can then create an interface endpoint to access the Shotgun enterprise cloud application. This interface endpoint essentially creates an elastic network interface in consumer’s subnets with a private IP address that serves as an entry point for traffic destined to the service (see #3 in the diagram). 
• Shotgun administrators receive a notification about the new connection request.  To activate the connection, the administrators accept the interface endpoint connection request from the consumer. 

This combination of permissions and acceptance settings help control which service consumers (AWS principals) can access the Shotgun service securely over the AWS network without ever traversing the internet. 

Amazon S3 Endpoint

In addition to AWS PrivateLink, Autodesk Shotgun Private Cloud leverages VPC Gateway Endpoints to ensure all traffic within the Shotgun VPC to Amazon S3 happens securely on the Amazon network by using the gateway endpoint as a target for a route in the subnet’s route table for traffic destined for Amazon S3. All Shotgun Private Cloud consumers have their own AWS accounts and have clear boundaries and a path for accessing the service over their own PrivateLink Interface Endpoint. Each consumer has total control over their account and governance policies, such as encryption needs for S3 buckets and which bucket and prefixes are accessible by Shotgun application, etc. 

Security and Compliance

Shotgun Private Cloud has been designed with security at its core, relying heavily relied on Amazon Well Architected Framework. This framework has been designed to help cloud architects build secure, high-performing, and resilient infrastructure for their cloud application. Special care has been put on the security and reliability pillars.

The security pillar focuses on protecting the data stored by users in the Shotgun application. This pillar includes implementation topics such as confidentiality and integrity of data, but also operational topics like key management, separation of concerns, and security controls. Penetration tests, threat modeling exercises, and internal security review by the Autodesk Security team are practices required to secure this pillar.

The reliability pillar pushed Shotgun Cloud Architects to think about redundancy, uptime, and failure recovery. Compliance with the reliability pillar calls for a service to ensure no single point of failure in the system, and that it can recover from data storage failure at any point in time. To validate that Shotgun meets the reliability pillar, Shotgun Private Cloud subjects its systems to simulated failure incidents and external attacks, like database master instance failure, distributed denial of service attacks (DDoS), DNS attacks, etc.

Shotgun’s Cloud application passed the Amazon Well Architected Review in July. All recommendations following that review—done in conjunction with Amazon Cloud Architects—have been addressed. As a result of these efforts, Shotgun infrastructure and development processes comply with the highest security standards, positioning Shotgun for SOC-2 certification next year.

Separation of Concerns 

In line with the Separation of Concerns (SoC) design principle, Autodesk Shotgun architecture has isolation of planes for data, control, and user. For data security, Shotgun’s Aurora PostgreSQL database clusters and S3 buckets are hosted independently in a Shotgun-specific AWS account. 

For control plane isolation, the Shotgun cloud application runs in Autodesk’s shared application account where each tenant’s processes have their own isolated environment (containers) and control boundaries. 

User isolation is achieved by each consumer of the Shotgun cloud application having their own AWS account and accessing Shotgun Private Cloud only via the authorized pre-configured AWS PrivateLink endpoint. With IAM roles, customers can grant third parties, such as Shotgun Private Cloud in this specific case, access to their AWS resources without sharing any AWS security credentials. The Shotgun application at run time assumes a cross-account IAM role as per the customer’s IAM policies to safely access customer’s S3 buckets and media files. If the customer’s buckets are encrypted using SSE-S3 or SSE-KMS, the customer’s IAM policies must provide appropriate permissions in KMS to securely decrypt the data during run time. This provides customers with the flexibility to set up their AWS resources, such as S3 bucket encryption and access methodology as per their organizational policies, and only allow Shotgun access to specific S3 prefixes and objects as needed. In this way customers maintain control over their buckets and media files. In addition, all S3 traffic to and from a customer and Shotgun happens securely over the S3 Endpoint on AWS backbone.

Data Persistence and Security

Shotgun Private Cloud uses Amazon S3 to store media files. Amazon S3 offers industry-leading data availability, security, and performance at scale. It allows Shotgun to store data and secure it from unauthorized access with encryption features and access management tools. S3 is the only object storage service that allows customers to block public access to all objects at the bucket or the account level with S3 Block Public Access. S3 also helps Shotgun meet regulatory requirements by providing auditing capabilities to monitor access requests to S3 resources. All Shotgun Private Cloud data on Amazon S3 is encrypted at rest with 256-bit AES AWS Server Side Encryption. Media stored on Shotgun’s Amazon S3 buckets are backed up across availability zones in the region with an AWS durability SLA of 99.999999999%. 

Shotgun uses Amazon Aurora PostgreSQL database for back-end application data persistence. It offers a distributed, fault-tolerant, self-healing storage system that auto-scales up. Aurora delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs). Shotgun Private Cloud leverages multiple levels of security with Amazon Aurora PostgreSQL database. Including network isolation with Amazon VPC, encryption at rest using keys created and controlled by Shotgun via AWS Key Management Service (KMS), and encryption of data in transit using SSL. With an encrypted Amazon Aurora instance, data in the underlying storage is encrypted, as are the automated backups, snapshots, and replicas in the same cluster. Shotgun Tier1 Cloud stores user passwords in Amazon Aurora PostgreSQL that are hashed and salted using a cryptographically strong hashing algorithm with a high number of iterations and a randomly generated salt. Only the salt and the resulting hash are actually stored persistently in the database. Aurora PostgreSQL database cluster volumes are automatically backed up and retained for a period of 35 days with backups being continuous and incremental allowing for quick restorations to any point within the backup retention period. In addition, manual snapshots are taken daily. 

Additional Security Measures 

Within Autodesk’s shared application AWS account and Shotgun’s AWS account, there are several AWS native security services used concurrently to ensure data and communication in respective accounts are secure. These include AWS CloudTrail, AWS GuardDuty, AWS Shield, AWS IAM with MFA, and AWS Key Management Services.

 Results and Adoption

Shotgun Private Cloud was announced at Siggraph in July 2019. It has been a breakthrough offering for many clients previously constrained to an on-premise solution because of their strict security posture. These clients now have an option that gives them access to the full value of Shotgun as a SaaS offering and keeps them in compliance with security requirements to keep all data off the public internet. 

Clients have inquired about Shotgun Private Cloud in lieu of our on-premise solution for several reasons: 

• Security. Clients have confidence in the Shotgun security and infrastructure teams’ active investment in updating and patching the service against newly discovered vulnerabilities. Backed by Autodesk and AWS, the service is continuously audited, both internally and by external security auditors, to make sure the system remains impenetrable. 
• Maintenance and cost. Hosting Shotgun on-premise requires specific expertise and infrastructure. By using Shotgun Cloud solutions, Shotgun maintains responsibility of upkeep and infrastructure. This allows our clients to focus their time and money on their creative products instead of operations.
• Performance. Adoption of Shotgun Cloud allows clients to tap into a fully scalable architecture, forming a foundation for additional optimizations and complexities that face globally distributed studios in an extremely competitive industry.

The Shotgun Private Cloud technology is in technical preview stage. The Autodesk teams are working closely with a small group of customers to validate the design in production. Read more about Autodesk collaboration with Animal Logic’s use of Shotgun Enterprise Cloud with PrivateLink on the Shotgun Blog.

What’s Next

Autodesk is planning to announce General Availability of Shotgun Private Cloud in the upcoming months. With Shotgun Private Cloud, it is Autodesk’s goal to  provide optimum performance for studios working collaboratively in locations across the globe. To that end, intend to explore the possibility of replicating client assets stored on S3 in different regions. Bringing content closer to users, regardless of their personal location, will improve the experience of users working in satellite offices.

The media and entertainment industry has a strong tradition of in-house technology innovation and customization. For many companies hosting everything on their own infrastructure, migrating to cloud services runs counter to conventional wisdom. And that is why, in this market, SaaS and cloud services providers must deliver services without asking their clients to sacrifice their internal security standards for handling content. Autodesk Shotgun’s use of AWS native services and practices has delivered that security and is a viable solution that meets and exceeds the highest security standards of the industry.

Authors 

 Guillaume Brossard is the Engineering Manager and Product Owner for Shotgun Cloud Infrastructure team. He lives in Montreal and is leading the team responsible for the architecture and maintenance of all Shotgun offerings. He has worked in various industries gravitating around cloud services, graphics, rendering and AI.

David Richer is the tech lead for the Shotgun Cloud Infrastructure team. He lives in Montreal and enjoy the snow for 6 month every year. He has been leading the effort to migrate Shotgun to AWS infrastructure and define the new Shotgun Private Cloud architecture.