Skip to content

Cloud AWS Setup

The remote execution cluster is designed to be set up within a dedicated AWS account. This allows for easy accounting of cloud costs and auditing within an account, and keeps its cloud resources isolated from other cloud resources. We offer 2 options:

  1. You can provide a subaccount to EngFlow and grant us access. This method can take advantage of any reserved compute discounts or AWS credits you have.
  2. EngFlow can fully manage an AWS account for you and regularly bill you for the cloud costs incurred.

We recommend the first option.

A remote execution cluster is generally setup within a dedicated AWS account. This allows for easy accounting of cloud costs and auditing. EngFlow can fully manage an AWS account for you and pass the cloud costs through. Or, you can provide a subaccount to EngFlow. The latter method can take advantage of any reserved compute discounts or AWS credits you have.

Security model

An AWS EngFlow Remote Execution cluster is completely private. No customer data enters or leaves the AWS account except:

  • through a gRPC endpoint that build tools like Bazel communicate with
  • (if enabled) an HTTPS endpoint for the web build UI.

Build tools use authentication and TLS to contact the cluster. The web UI supports several modes of SSO authentication. It is possible to create a AWS VPC endpoint for the remote execution cluster to ensure only specific networks can access it such as the VPC containing your CI.

No external resources (such as public internet access) are required by the EngFlow software. However, if your builds access the internet or private resources, the cluster will have to have access to them. For example:

  • your builds may require Docker images from a private Docker registry or access to artifact repositories.
  • your builds may call out to external resources to fetch dependencies.
  • your tests may call out to external resources to run.

To allow EngFlow engineers to deploy and maintain the remote execution service, an AWS account owned by EngFlow must be given access to assume an administrative role within the AWS account. This access is only required to the specific EngFlow AWS account. Any wider organization-level auditing and logging policies still apply.