The Shared-Responsibility Model
When defining where your App is installed, the permissions it needs, what customer systems it needs to integrate with, etc. your are effectively defining a contract with your customer. These set the expectations they have for how your app will behave in their account. In order to build and maintain trust, you do not want them to be surprised by something your app does in their account. It’s worth asking a few questions about your app, before going into production.- Will your App be deployed into an isolated or customer-managed network?
- What permissions will your App require?
- What security requirements will your customer have?
- Will these requirements vary across customers?
- Are there things your customer will want to configure to manage costs?
Customer-Managed Networks
As we’ve mentioned before, we recommend deploying your App into it’s own, isolated network. This tends to keep permissions simpler, reduce the blast radius of any production issues, and make it easy to monitor and control data going in and out of the app. But isolation may not work for all Apps, and some customers will require you deploy into a network that they manage. In these cases, there are a few things you can do to contain your App within a network you do not manage.- Place your App resouces in their own subnets to control egress and ingress
- Place your resrouces in security groups to control their access to other parts of the network
- Apply permissions boundaries to the IAM roles your resources use to limit the actions they can take