Security posture

StrataBI Enterprise runs entirely inside your AWS account. Shaleio does not host, proxy, or receive your data — so most of your security posture is the posture of your own account, and StrataBI is built to fit cleanly inside it rather than around it. This page summarizes the controls StrataBI provides and the optional AWS-native integrations you can turn on.

Where your data lives

The application, its queries, its artifacts, and its dashboards all live in your account. There is no external tenant and no shared control plane handling your BI data. This means breach radius, data residency, retention, and key management are governed by your own account configuration — and that StrataBI never becomes a path for your data to leave your environment.

Identity and access

Authentication is bring-your-own: StrataBI sits behind your identity provider or auth proxy and recognizes the already-authenticated user from a trusted header. It does not store passwords. See Authentication & SSO.

Authorization is handled by role-based access control: pages, modules, and artifact downloads are gated per role, with a deny-by-default posture when RBAC is on.

Raw HTML is treated as a first-class risk. raw_html blocks render arbitrary markup, so when RBAC is enabled they require a dedicated Raw HTML permission for any regular dashboard; HTML from a governed module or a pinned (admin-curated) dashboard is exempt because it is already vetted. This keeps an untrusted dashboard author from injecting markup that runs in another user's session.

Network and transport

It defaults open — lock it down.

with the load balancer as the only ingress.

Supply chain

The runtime is distributed as an account-entitled, signed artifact and verified at fetch time; the container base image and Python package sources are parameterizable so you can pull from your own registry or mirror. See Container image & supply chain.

Optional AWS-native security integrations

StrataBI can turn on AWS's own security services for you, all off by default and opt-in per service. Enabling them increases security visibility without changing StrataBI's behavior; leaving them off is a no-op for existing deployments.

FlagServiceWhat it adds
enable_guarddutyAmazon GuardDutyContinuous threat detection across the account/region.
enable_inspectorAmazon InspectorVulnerability scanning of the StrataBI ECR image and Lambda functions.
enable_securityhubAWS Security HubAggregates findings (including GuardDuty and Inspector) into one view.

Once Security Hub and the detectors are on, GuardDuty and Inspector findings flow into Security Hub automatically. The integrations are idempotent and safe to reapply.

Caution
These services add cost. Enabling GuardDuty, Inspector, and Security Hub may increase your AWS bill. StrataBI does not charge for these services — AWS bills them directly to your AWS account. You are responsible for AWS service costs.

Coverage and limitations

organization-wide administration or advanced data-source settings. AWS permits one detector per account/region, so if GuardDuty is already enabled, import it or leave the flag off.

does not scan everything: Glue scripts stored in S3, the running Fargate task filesystem, and dashboard JSON are not covered. The core runs on Fargate, so EC2 scanning applies only if you run StrataBI workloads on EC2 (add EC2 to inspector_resource_types).

standards (CIS, AWS Foundational, etc.) — opt into those separately if you want them.

The implementation is modular: additional AWS security services (IAM Access Analyzer, AWS Config, Detective, and similar) can be added later following the same opt-in pattern.

Security assessments

Shaleio LLC will provide security assessments for the StrataBI runtime and for modules upon request. If you need a review of the runtime, a specific module, or your deployment posture before or after go-live, contact us at info@shaleio.com.