This Guidance helps you gain visibility into all workload types through integration with Caveonix Cloud. This visibility can help you better understand your security compliance and assurance posture. When security findings are detected, this Guidance provides the ability to automate remediation so you can maintain your security stance. Additionally, you can easily share findings with necessary stakeholders, ranging from data analysts to audit teams to a Chief Security Information officer (CISO).
Please note: [Disclaimer]
[Architecture diagram description]
Subscribe to Caveonix Cloud and select the appropriate subscription tier. The product is listed on the AWS Marketplace, and private offers are common to negotiate a discount. The Caveonix Cloud Portal and Central Collector are software-as-a-service (SaaS) components managed by Caveonix. The Central Collector queries AWS, VMware Cloud on AWS, and other APIs.
Deploy an Enterprise Collector (EC) appliance inside the VMware Cloud on AWS environment. The EC role performs subnet and virtual machine scanning and includes the Remote Collector (RC) role. A dedicated RC can be deployed in networks unreachable by the EC.
The RC pushes findings and configuration data to the EC. The EC pushes findings and configuration data to the Central Collector. Data is always pushed outwards using HTTPS, and no firewall ports need to be opened inbound.
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
This Guidance integrates with Security Hub in a bi-directional manner by passing findings and configuration information between Security Hub and Caveonix Cloud. This provides visibility across cloud and on-premises infrastructure. Caveonix Cloud brings additional scanning capabilities to AWS tools such as Security Hub by extending operational visibility to both data center and other cloud workloads.
Security Hub provides aggregation of findings and reporting on security and compliance. The Guidance enhances this security posture by integrating findings from non-AWS systems. Compliance is continuously updated, and reporting is provided self-service to all data consumers, from the CISO to audit teams.
VMware Cloud on AWS and Caveonix Cloud provide a cluster for the virtual machines, consisting of two or more physical EC2 hosts. In the event of failure, the virtual machines can fail over to the alternative running host.
VMware Cloud on AWS has the ability to democratize advanced technologies by offering management of the VMware Software Defined Data Center (SDDC). This includes patch management and secure operations of this software stack, helping you to focus on your business and application layer, rather than the software and underlying AWS-hosted infrastructure. You can offload your VMware infrastructure management tasks with the confidence that VMWare Cloud on AWS manages VMWare workloads in a way that is aligned to VMWare management best practices.
Caveonix Cloud allows you to maintain both your VMware virtual machines and EC2 instances within AWS. This SaaS offering can also be extended into on-premise data centers, providing one common tool to maintain and enforce your security and compliance posture. A central view of all assets mapped to related applications provides a global view across cloud and data center environments. This allows you to track resource usage, identify orphaned systems, and provide configuration management governance so you can identify opportunities for cost optimization across all workloads.
The AWS data centers that host the services in this Guidance have been designed to offer a lower carbon footprint compared to traditional, on-premises data centers. AWS data centers are optimized for sustainability and scale resources based on demand.
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.