Architecture Overview

1. ECS is the core of our application, which hosts 4 types of services.

   1. The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.

   2. The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.

   3. The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.

   4. The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.

2. Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.

3. Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.

4. In AWS, we currently scan S3, EBS, EFS, and FSx.

5. Integrations are handled through our Console service.

6. The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.

7. The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.

1. ECS is the core of our application, which hosts 4 types of services.

   1. The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.

   2. The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.

   3. The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.

   4. The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.

2. Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.

3. Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.

4. In AWS, we currently scan S3, EBS, EFS, and FSx.

5. Integrations are handled through our Console service.

6. The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.

7. The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.

8. To scan objects in regions separate from the Intial Deployment Region, we spin up Scanning Agents in that region to perform scans so the files never leave the region. Results are then sent back to the Console service.

9. All application information that takes place in secondary deployment regions are logged into that region's CloudWatch log groups.

1. ECS is the core of our application, which hosts 4 types of services.

   1. The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.

   2. The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.

   3. The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.

   4. The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.

2. Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.

3. Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.

4. In AWS, we currently scan S3, EBS, EFS, and FSx.

5. Integrations are handled through our Console service.

6. The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.

7. The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.

8. To scan objects in regions separate from the Intial Deployment Region, we spin up Scanning Agents in that region to perform scans so the files never leave the region. Results are then sent back to the Console service.

9. All application information that takes place in secondary deployment regions are logged into that region's CloudWatch log groups.

10. For multiple accounts, the Console deploys a Cross Account Role with permissions so that CSS services can access and scan storage volumes from separate accounts. Note that scanning infrastructure remains in the primary AWS account where your Console was deployed. Similar to a multi-region deployment, CSS will spin up Scanning Agents in each region where data is scanned.

When linking an account in the CSS console, we deploy resources in the new CSS Resource Group created in Azure. Those resources will have access to the Blob Containers that reside within the linked Azure Account.

Once the Azure Account is linked, Azure Blob Containers will be made available to be scan through the CSS Console in the Protection > Azure Blob Containers page. You can select blob containers to scan or run scans on a schedule basis.

We offer two types of scanning for Azure: Event-Scanning and Retro Scanning.

Event-based scanning scans files as they drop into the Blob Container.

1. Users upload data to storage containers.

2. The storage account's system topic has an Event Grid Subscription tied to it that points to Azure Queue Storage as its event handler.

3. The Azure Queue Storage receives information about the object via the Event Grid Subscription.

4. The Container Application pulls information from the queue and scans the object that the notification refers to.

5. Results are tagged onto the object.

6. Results and metering are sent back to the CSS Console.

Retro-based scanning scans the entire Blob Container.

1. Users upload data to storage containers.

2. The Container Application runs a Crawl Job that evaluates the items to be scanned.

3. The Crawl Job places objects in Azure Queue Storage.

4. The Container Application pulls information from the queue and runs a Scan Job to scan the objects in the Queue.

5. Results and metering are sent back to the CSS Console.

Excluding the Event Grid Subscription, note that all of these resources and cross-permissions are only deployed inside of the CSS Resource Group through the Azure Resource Manager. The rest of the organizations and projects inside of your Azure account remain untouched.

When linking an account in the CSS console, we deploy resources in a new CSS Project created in GCP through our terraform module. Those resources will have access to the customer project(s) denoted in the deployments parameters (projects_to_protect).

Once the projects are linked, GCP buckets will be made available to be scan through the CSS Console in the Protection > GCP Buckets page. You can select buckets to scan or run scans on a schedule basis.

We offer Retro and Event-Based scanning for GCP.

Event-based scanning scans files as they drop into the GCP Bucket.

1. Users or apps place files into Google Cloud Storage.

2. The Pub/Sub service has a Topic set up to notify whenever new objects are created in designated Buckets.

3. The Cloud Run Job's subscription to the Topic activates whenever a new file is created.

4. The Cloud Run Job accesses the designated Bucket and loads that new object in memory to scan.

5. Files in the protected Bucket are tagged with their scan result.

6. (Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.

7. Results are returned to the Console service for processing.

Retro-based scanning scans the entire GCP Bucket.

1. Users or apps place files into Google Cloud Storage.

2. The Console Service initiates a scan request to the Cloud Run service that resides in CSS' Project that is provisioned via Terraform.

3. The Cloud Run Job accesses the customer's Cloud Storage and loads a list of its objects in memory, procedurally scanning each item.

4. Results are returned to the Console service for processing.

5. (Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.

All scan results are logged in AWS CloudWatch logs Agent.ScanResults, Problem Files are reported in the console, and objects in Google Cloud Storage are tagged with the scan result as well via the file metadata.

Note that all of these resources and cross-permissions are only deployed inside of the CSS Project through Terraform. The rest of the organizations and projects inside of your GCP account remain untouched.