AWS Guardrail Compatibility Guidance
VeloDB BYOC is designed to operate within customer-controlled AWS environments and is compatible with common enterprise governance, security, and compliance controls. This document provides guidance regarding AWS guardrails that may be applied to a VeloDB BYOC deployment, identifies controls that are supported, and highlights restrictions that may affect provisioning, scaling, upgrades, backup, monitoring, recovery, or support operations if configured in a manner that prevents required AWS functionality.
Customers are encouraged to review proposed governance controls with VeloDB prior to production deployment to ensure that operational requirements remain compatible with organizational security policies and compliance standards.
Architectural Overview
Under the BYOC deployment model, all data plane resources are deployed within AWS accounts owned and controlled by the customer. Customers retain ownership of the underlying cloud infrastructure and continue to manage their own networking, security, compliance, and governance controls.
VeloDB is designed to operate alongside standard AWS governance mechanisms, including Service Control Policies (SCPs), permission boundaries, AWS CloudTrail, AWS Config, Amazon EventBridge, customer-managed AWS KMS keys, tagging policies, regional deployment restrictions, and private networking architectures. These controls are fully supported provided they continue to allow the AWS services, APIs, permissions, and network connectivity required for normal lifecycle management of the deployment.
Customer-Owned Security and Governance Controls
VeloDB follows a customer-owned security model. Customers retain administrative ownership and operational control of their AWS environment, including Security Groups, Network ACLs, Route Tables, Service Control Policies, Permission Boundaries, KMS keys, CloudTrail configurations, AWS Config rules, and EventBridge monitoring policies.
As part of normal operations, VeloDB does not modify customer-managed Security Groups, Network ACLs, or Route Tables. Customers may implement governance controls, monitoring policies, and compliance requirements that align with their internal security standards, provided those controls do not restrict the AWS resources, permissions, or connectivity required for VeloDB lifecycle operations.
IAM and Cross-Account Access Requirements
VeloDB BYOC uses a customer-created cross-account IAM role to perform lifecycle management activities within the customer AWS account. This role is used to provision, manage, monitor, scale, upgrade, and recover VeloDB-managed infrastructure components.
The deployment role follows the principle of least privilege and is limited to permissions required for deployment lifecycle management. Required capabilities may include management of compute resources, storage resources, networking components, monitoring integrations, and backup-related services.
The precise IAM permissions and trust relationships required for deployment are documented in the Deployment credential (cross-account IAM role) section of the VeloDB BYOC deployment guide and can also be provided upon request.
Organizations may apply permission boundaries and additional IAM governance controls, provided those controls do not remove permissions required by the VeloDB deployment role. Restrictive permission boundaries that prevent required actions may interfere with cluster provisioning, capacity scaling, software upgrades, backup workflows, disaster recovery procedures, and other lifecycle management operations.
Service Control Policies (SCPs)
VeloDB supports deployment within AWS Organizations environments that enforce Service Control Policies. Customers may use SCPs to restrict AWS service usage, limit administrative actions, enforce regional deployment requirements, or implement organization-wide governance standards.
VeloDB does not require organization-wide administrative exemptions from SCP enforcement. However, SCPs must continue to permit access to AWS services required by the deployment. Depending on the selected architecture and enabled features, these services may include Amazon EC2, Amazon EBS, Elastic Load Balancing, AWS IAM, Amazon S3, AWS KMS, Amazon CloudWatch, and other supporting AWS services used during normal operations.
Blocking or restricting required APIs may prevent initial provisioning, cluster expansion, software upgrades, backup execution, infrastructure recovery, or ongoing operational management. Customers are therefore encouraged to validate SCP configurations against documented VeloDB operational requirements prior to deployment.
Regional, Networking, and Infrastructure Restrictions
Regional Deployment Controls
VeloDB supports deployment within customer-approved AWS regions and is compatible with regional governance controls enforced through SCPs, IAM policies, or internal compliance standards.
Customers may restrict deployment activities to designated AWS regions. However, all AWS services and resources required by the selected deployment architecture must remain available within the approved region. Restrictions that block access to the designated deployment region may prevent provisioning and lifecycle management activities.
VPC and Subnet Restrictions
VeloDB is designed to operate within customer-managed VPC environments and supports deployment into customer-approved subnets and network segments. Customers may enforce network segmentation, subnet restrictions, and routing controls consistent with their security architecture.
To ensure successful operation, approved subnets must provide sufficient IP address capacity, required Availability Zone coverage, and network connectivity necessary for deployment components to communicate with one another. Overly restrictive networking controls may interfere with cluster creation, scaling activities, load balancer deployment, private connectivity configurations, or other infrastructure management operations.
Resource Naming and Tagging Policies
VeloDB supports customer-defined resource naming conventions and tagging standards. Organizations may enforce mandatory tagging requirements for cost allocation, ownership tracking, environment classification, operational governance, or compliance purposes.
Provided that required resources can still be created and managed, VeloDB can operate within environments that enforce mandatory tagging policies through SCPs, AWS Config rules, tag policies, or other governance mechanisms.
Encryption and Key Management
VeloDB supports both AWS-managed encryption and customer-managed AWS KMS keys. Organizations that require customer-controlled encryption may configure customer-managed keys for supported services and storage resources.
To maintain uninterrupted operation, customer-managed KMS keys must remain enabled and accessible to the AWS resources and IAM roles participating in the deployment. Both automatic and manual KMS key rotation are supported and recommended as part of standard security practice.
Operational issues may occur if active encryption keys are disabled, deleted, scheduled for deletion, or modified in a manner that removes permissions required by the deployment. Such changes may affect encrypted storage volumes, snapshots, backup operations, recovery workflows, and other encrypted resources managed by the deployment.
S3 Storage Requirements
Where Amazon S3 is used for backup, recovery, or operational storage functions, VeloDB supports customer-managed buckets and customer-managed encryption controls.
Customers may enforce bucket policies, access controls, encryption requirements, versioning policies, and monitoring controls in accordance with organizational standards. Bucket versioning is recommended to improve recoverability and operational resilience.
Restrictions that prevent required read, write, or recovery operations may impact backup execution, restoration procedures, or other operational workflows that depend on S3 storage. The S3 bucket and the associated access policy required by the deployment are described in the Data credential (S3 bucket + IAM role) section of the VeloDB BYOC deployment guide.
Monitoring, Audit, and Compliance Integration
VeloDB is designed to operate alongside standard AWS monitoring and compliance services and is fully compatible with customer-managed audit and governance programs.
AWS CloudTrail
Customers are encouraged to enable CloudTrail logging across all AWS regions and monitor AWS API activity associated with VeloDB-managed infrastructure. Recommended monitoring areas include IAM role assumptions, EC2 lifecycle operations, EBS volume management, load balancer configuration changes, S3 access activity, and KMS operations.
AWS Config
AWS Config may be used to continuously evaluate resource compliance, detect configuration drift, and enforce governance requirements. Common use cases include monitoring IAM changes, public resource exposure, KMS policy modifications, tagging compliance, and security posture validation.
Amazon EventBridge
Customers may integrate EventBridge with existing monitoring and incident response processes to generate alerts for infrastructure changes, IAM modifications, KMS key state transitions, S3 policy changes, instance lifecycle events, and other operational activities relevant to the deployment.
Connectivity Requirements
VeloDB supports private networking architectures and is compatible with connectivity models such as AWS PrivateLink and customer-controlled private network designs.
Customers may restrict inbound public access where appropriate. VeloDB does not require inbound public network access to customer-managed infrastructure for normal operations.
However, outbound connectivity required by deployment components must remain available. Depending on the deployment architecture, outbound communication may be required for monitoring, alerting, software distribution, support operations, and reverse tunnel connectivity when enabled.
Deployment-specific endpoint requirements can be provided upon request.
Operational Considerations
The following categories of restrictions are the most common causes of deployment or operational issues within highly governed AWS environments:
- Removal of permissions required by the VeloDB deployment role
- Service Control Policies that block required AWS APIs
- Permission boundaries that restrict lifecycle management operations
- Disabled, deleted, scheduled-for-deletion, or inaccessible KMS keys
- S3 access controls that prevent backup or recovery operations
- Network controls that block required connectivity paths
- Insufficient subnet capacity or Availability Zone coverage
- Restrictions that prevent creation or modification of compute, storage, networking, or load-balancing resources required by the deployment
Customers should validate proposed governance controls against VeloDB operational requirements prior to production deployment.
Recommended Guardrails
VeloDB recommends that production deployments adopt a layered governance model that includes:
- AWS CloudTrail enabled across all regions
- AWS Config compliance monitoring
- EventBridge alerting for IAM, KMS, networking, and infrastructure changes
- Customer-managed AWS KMS keys
- Mandatory resource tagging policies
- Approved regional deployment controls
- Least-privilege IAM controls
- Service Control Policies and permission boundaries validated against documented VeloDB operational requirements
Compatibility Summary
| AWS Guardrail | Compatibility | Guidance |
|---|---|---|
| Service Control Policies (SCPs) | Supported with conditions | Required AWS services and APIs must remain available. |
| Permission Boundaries | Supported with conditions | Must not remove permissions required by the VeloDB deployment role. |
| AWS CloudTrail | Fully Supported | Recommended for auditing AWS API activity associated with VeloDB-managed infrastructure. |
| AWS Config | Fully Supported | Recommended for compliance monitoring and configuration drift detection. |
| Amazon EventBridge | Fully Supported | Recommended for alerts related to IAM, KMS, networking, and infrastructure changes. |
| Customer-Managed AWS KMS Keys | Supported with conditions | Keys must remain enabled and accessible to required AWS resources and IAM roles. |
| Resource Tagging Policies | Supported with conditions | Policies must permit required resources to be created and managed. |
| Regional Deployment Restrictions | Supported with conditions | Required AWS services and resources must remain available within approved regions. |
| VPC and Subnet Restrictions | Supported with conditions | Approved subnets must provide sufficient capacity, Availability Zone coverage, and required connectivity. |
| Private Networking Architectures | Supported with conditions | Required control-plane and operational connectivity must remain available. |
Conclusion
VeloDB is designed to operate within customer-controlled AWS environments while remaining compatible with common enterprise governance, security, and compliance controls. Most AWS guardrails can be adopted without impacting normal operations, provided that required AWS permissions, services, and connectivity remain available.
VeloDB recommends validating proposed AWS guardrail configurations prior to production deployment. Upon request, VeloDB can review customer governance controls and identify potential compatibility considerations related to provisioning, scaling, upgrades, backup, monitoring, recovery, and support operations.