Autoblocks offers self-hosted deployments through our partnership with Omnistrate, enabling you to run Autoblocks in your own cloud environment and preferred region. With our bring your own account (BYOA) model, you maintain complete data sovereignty while we handle the operational complexity. Our deployment automatically scales based on your usage patterns, includes automated backups for disaster recovery, and maintains high availability across multiple availability zones—all without requiring any operational overhead from your teams. Our control plane is designed with security in mind, operating with limited, precisely-scoped access to only manage the resources required for your Autoblocks deployment.

Video Walkthrough

Account Setup

To establish a secure connection between your AWS account and our control plane, we provide a CloudFormation template that creates the minimum required IAM policies with precisely scoped permissions. These policies enable secure, automated management of your Autoblocks deployment while adhering to the principle of least privilege.

Creating the Autoblocks Deployment

Once your cloud provider account is configured with the necessary permissions, you can deploy Autoblocks in your preferred cloud provider and region with just a few clicks through our BYOA portal. The portal provides real-time visibility into your deployment’s health and performance metrics. Our team handles all maintenance, including security updates and version upgrades, ensuring your deployment stays current and performant without any operational overhead from your team.

Integration Security

Our integration follow security best practices with strictly limited permissions scoped to essential infrastructure components:

We maintain a focused set of permissions that only cover necessary AWS services: EC2, EKS, Elastic Load Balancing, VPC, and minimal IAM operations. For components like the AWS Load Balancer Controller, we implement standard open-source IAM policies from the official Kubernetes SIG repository.

To ensure these boundaries cannot be exceeded, we implement multiple layers of security controls:

  1. A permissions boundary (OmnistrateBootstrapPermissionsBoundary) that prevents the creation of any IAM roles or policies beyond the initial permitted set
  2. Resource tagging restrictions that limit iam:PassRole operations to only Autoblocks-managed roles - 'aws:ResourceTag/omnistrate.com/managed-by': 'omnistrate'
  3. The OmnistrateInfrastructureProvisioningPolicy includes explicit conditions preventing access to IAM policies outside our scope

While we can implement additional restrictions based on your security requirements, this may impact our ability to provide comprehensive support and maintenance. Our current permission set represents the optimal balance between security and operational efficiency.