The Kaleido platform offers four optional integrations with AWS – Key Management Store (KMS), Log Streaming, VPC PrivateLink and S3 Backups. Additionally, Kaleido administrators can optionally choose to create their organization as an “Enterprise” type, and integrate their own user registry implementations in conjunction with Cognito as an access control layer for Kaleido.
- A KMS integration adds a further layer of security to a node’s private signing materials, by encrypting any sensitive keys with a master encryption key controlled by the node owner. Kaleido stores only the signing key cipher text and a single auditable decryption call is sent to the AWS Identity Access Management service when the node needs to initialize.
- Log Streaming injects realtime node logs into Cloudwatch, the popular monitoring and management service. Combine the node logs alongside existing applications and business processes to quickly diagnose errors, improve performance and/or gain additional insights.
- A Virtual Private Cloud (VPC) PrivateLink endpoint allows for the Kaleido network to be accessed privately outside of the public internet. Leveraging a node’s private communication layer via PrivateLink ensures that any business critical or sensitive traffic never leaves the AWS backbone. Nodes can be configured with a hybrid ingress (public and private) allowing for users to partition any incoming data streams in accordance with their organizational and consortia mandates.
- Node backups into an S3 bucket provide an added layer of ledger persistence and give owners full access to a node’s ledger and key materials. Users can orchestrate workflows to call the /backup API on configured intervals or manually extract the node data on a periodic basis.
- A Kaleido Enterprise Organization allows for Kaleido admins to customize and fully-manage the “front door” into their Kaleido Org via an integration with Amazon Cognito. Admins and end users alike will only be able to authenticate to Kaleido via the configured identity management system. As such, a Kaleido admin can weave their Kaleido instance with existing user registries and trusted authentication schemes.
This section elaborates on each service and walks through the steps for creating and configuring the cloud resources. The cloud resources, with the exception of PrivateLink, are prerequisites for generating Kaleido configurations and provisioning nodes with the integration services enabled.