Cloud Account
How does Formal integrate with your cloud provider?
Formal supports self-managed deployments for users who store their data on-premise or on a private cloud such as VPC. Users can easily connect to on-premise data sources and cloud data platforms that run on Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Managed Cloud model
How the managed cloud model works?
Formal supports two different methods to manage deployment in your infrastructure.
- AWS Private Link: In this setup, the customer grants access to a private VPC to Formal and Formal grants access to a private VPC to the customer on a shared AWS account. This shared AWS account is used to deploy Formal resources.
- Cross-account IAM Role: In this setup, the customer grants access to Formal to deploy resources in their own account thanks to a IAM role.
AWS Private Link
If the customer does not want Formal to deploy resources directly in their account, Formal can create a sub account in their AWS organization and grants access to this account to the customer thanks to a VPC Endpoint. Likewise, the customer will allows Formal to communicate with their VPC via a VPC Endpoint.
Cross-account IAM role methodology
Developing a product that has direct access to a company’s infrastructure requires extreme diligence and we take this responsibility very seriously. To make sure that our integration is as secure as possible, Formal systems implement the Cross-Account IAM Role methodology.
This method works by creating an IAM Role in the customer’s AWS account with a specific set of permissions, and then specifying what other IAM Roles have the permissions to “assume” that role.
With the Managed Cloud deployment model, the Formal infrastructure can be deployed in all AWS regions. Although the CloudFormation stack used to create this integration must be created in either us-east-1 or eu-west-1, the stack’s only function is to create the Cross-Account IAM role in your AWS account. This created IAM role, like all IAM roles, is globally accessible — thus Formal is able to use this role to deploy infrastructure in whatever region a Formal user desires.
Formal’s Cross-Account IAM Role architecture
In the Formal AWS account we create an IAM User and IAM Role per customer. This IAM User has access to assume that IAM Role and that role is what is configured to assume the role in the customer’s account. This process is called Role Chaining and again creates a model where the user is maintained separately from the role. This allows Formal to make API calls on behalf of the customer.
One more layer of security we employ is the use of an External ID. This is a unique ID we generate per customer account and supply in the creation of the IAM Role in the customer’s account. Only if you supply that specific ID when assuming the role does it actually grant you access. The primary function of the External ID is to prevent malicious users from guessing the ARN of another Formal user’s IAM Role and submitting a connection to Formal claiming to be the owner of that ARN. Because the External IDs won’t match between accounts, the connection to assume this role will fail. Without the use of an External ID, a malicious user could acquire all the same privileges of the compromised account.
How to integrate your cloud account
Connect your cloud provider account
First Step
Navigate to the Cloud Account application.
Second Step
Click on Add Integration
button.
Third Step
Select the cloud provider of your choice.
Deploy a Formal Sidecar in your infrastructure
You will need two more pieces of information when deploying a Proxy using Managed Cloud.
- Specify the connected cloud account.
- The VPC ID.
Was this page helpful?