Security posture
StrataBI Enterprise runs entirely inside your AWS account. Shaleio does not host, proxy, or receive your data — so most of your security posture is the posture of your own account, and StrataBI is built to fit cleanly inside it rather than around it. This page summarizes the controls StrataBI provides and the optional AWS-native integrations you can turn on.
Where your data lives
The application, its queries, its artifacts, and its dashboards all live in your account. There is no external tenant and no shared control plane handling your BI data. This means breach radius, data residency, retention, and key management are governed by your own account configuration — and that StrataBI never becomes a path for your data to leave your environment.
Identity and access
Authentication is bring-your-own: StrataBI sits behind your identity provider or auth proxy and recognizes the already-authenticated user from a trusted header. It does not store passwords. See Authentication & SSO.
Authorization is handled by role-based access control: pages, modules, and artifact downloads are gated per role, with a deny-by-default posture when RBAC is on.
Raw HTML is treated as a first-class risk. raw_html blocks render arbitrary markup, so when RBAC is enabled they require a dedicated Raw HTML permission for any regular dashboard; HTML from a governed module or a pinned (admin-curated) dashboard is exempt because it is already vetted. This keeps an untrusted dashboard author from injecting markup that runs in another user's session.
Network and transport
- IP allow-listing (
allowed_ip_cidrs) restricts who can reach the load balancer.
It defaults open — lock it down.
- HTTPS/TLS is available via an ACM certificate on the ALB (
enable_https). - Private subnets (
enable_private_subnets) keep the ECS tasks off public networks,
with the load balancer as the only ingress.
Supply chain
The runtime is distributed as an account-entitled, signed artifact and verified at fetch time; the container base image and Python package sources are parameterizable so you can pull from your own registry or mirror. See Container image & supply chain.
Optional AWS-native security integrations
StrataBI can turn on AWS's own security services for you, all off by default and opt-in per service. Enabling them increases security visibility without changing StrataBI's behavior; leaving them off is a no-op for existing deployments.
| Flag | Service | What it adds |
|---|---|---|
enable_guardduty | Amazon GuardDuty | Continuous threat detection across the account/region. |
enable_inspector | Amazon Inspector | Vulnerability scanning of the StrataBI ECR image and Lambda functions. |
enable_securityhub | AWS Security Hub | Aggregates findings (including GuardDuty and Inspector) into one view. |
Once Security Hub and the detectors are on, GuardDuty and Inspector findings flow into Security Hub automatically. The integrations are idempotent and safe to reapply.
Coverage and limitations
- GuardDuty turns on account/region threat detection. StrataBI does not modify
organization-wide administration or advanced data-source settings. AWS permits one detector per account/region, so if GuardDuty is already enabled, import it or leave the flag off.
- Inspector scans the StrataBI ECR image and Lambda functions by default. It
does not scan everything: Glue scripts stored in S3, the running Fargate task filesystem, and dashboard JSON are not covered. The core runs on Fargate, so EC2 scanning applies only if you run StrataBI workloads on EC2 (add EC2 to inspector_resource_types).
- Security Hub ingests findings but does not enable the default security
standards (CIS, AWS Foundational, etc.) — opt into those separately if you want them.
The implementation is modular: additional AWS security services (IAM Access Analyzer, AWS Config, Detective, and similar) can be added later following the same opt-in pattern.
Security assessments
Shaleio LLC will provide security assessments for the StrataBI runtime and for modules upon request. If you need a review of the runtime, a specific module, or your deployment posture before or after go-live, contact us at info@shaleio.com.
Shaleio