Summary
This document depicts a high level view of the data flow for our environment. This includes where data traverses ingress and egress to our environment, how data is protected in transit and how data is protected at rest.
High Level Data Flow Diagram
The diagram below represents the high level ACE data flow, effective June 2021.
<!— image: image (from original wiki uploads) —>
Key Points
- Our infrastructure automation based on Terraform encrypts data at rest and in-transit by default
- There was one case where the automation was misconfigured when bringing up monitoring tools in the Services VPC. These hosts have some EBS volumes that are not encrypted at rest. These hosts only contain monitoring data about the environment. No sensitive data is stored on these volumes. These are planned to be fixed.
- All applications served from our environment are only accessible using HTTPS. Where HTTP is used, it redirects to HTTPS
- Each application deployed in our environment contains it’s own SRA which will include more details about data flow
- The transit VPC does not contain any application or services consumed by our customers. The transit VPC connects multiple VPCs in our AWS account as well as the Roche data center in order to create a network transit center for our environment. See AWS documentation here for more details