...
This automation grade is top-notch and a dream to many 🫧 Unique although works on providing the best risk mitigations possible. The more of this automation is implemented, the securer the solution all-in-all gets.
Once more it is to remember that depending on the https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436536285/Get+started+with+a+445776026/Customer+Managed+Tenant#Responsibilities it is up to one of the parties to mitigate this risk.
...
Group | Content | High-level permissions |
|---|---|---|
Main | Primary resources needed to run | The responsible party (can be Unique or the client, see Responsibilities) mostly works within this resource group if ever. |
Sensitive | All customer data which mainly consists of prompts and files, all the embedding of uploaded files, encryption keys | Unique should have the least possible privilege (and only JIT) of to this group. Actually, no human should have too much access to this, see Automation. |
Audit | Centralised, tamper-safe audit logs of | Unique and their workloads can only one-way emit into this resource group, there is no way to read. Modifications to this resource group should preferably only be made by the client or via Automation. |
Vnet | Networking setup, whereof some limited internet access is needed to pull the content of https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436536544 | Naturally most clients prefer to administer this part of the infrastructure themselves as it has a colossal security impact, if Unique should take care of it, the Automation approach is recommended above all manual actions |
Terraform | Store terraform states | Few individuals with a specific role or the Automation should have access to this group as here the state of the whole infrastructure gets saved. |
but no resources that contain data...