The topic contains the answers for the most typical questions, related to the security in Cloud.

This topic contains the following sections:

What are the documents describing infrastructure protection in Cloud?

EPAM Cloud is a service with high level of security and data protection. The following resources contain all the information on the subject:

- Security Certifications - General overview of EPAM Cloud security approaches. Here, you can also find the document on security audit we passed last year.
- EPAM Cloud Terms and Conditions - the document covers the main terms and definitions of EPAM Cloud Service, the parties obligations, responsibilities and rights, and includes Security and Data Safety points (Section 4.2)
- Cloud Networking Service - the page provides information on network protection
- Maestro User Guide - the guide includes the description of security approaches
- Maestro CLI User Guide - describes the list of security-related commands available for EPAM Cloud users (Section 6)

We are also constantly updating our security tools and describing these changes in our What's New documents, stored here.

What are the high availability guarantees in EPAM Cloud?

EPAM Cloud is a part of EPAM ecosystem, and it meets the requirements of all the security certifications and standardizations that EPAM has passed. In brief, Cloud security is based on the following points:

EPAM Cloud is first of all a development platform, which is not designed for production hosting. Disaster recovery and high availability for specific VMs are not the top priority of the service. The main aim is to provide a set of services for convenient development - Cloud Computing, Auto Configuration, Monitoring, statistics gathering and others.

However, you should remember that EPAM Cloud is a hybrid solution. If the client needs high availability, we would recommend to activate a zone in Amazon and use it as a staging environment for the demos.

How are my data in Cloud protected?

EPAM Cloud is a part of EPAM ecosystem, and it meets the requirements of all the security certifications and standardizations that EPAM has passed. In brief, Cloud security is based on the following points:

- EPAM Orchestration permissions management system is based on UPSA. Each user has the rights provided for them on a specific project. The rights are basically determined by the user's project role, but they can be extended or restricted by Project coordinator, if needed.
- The access to Cloud resources is granted only to the users assigned to the project and is based on Active Directory solution. If a user quits the project, their account in Cloud is automatically removed within 24 hours and they do not have any further access to the project resources.
- All the servers running in EPAM Cloud have software allowing system administrators and members of the Security group detect the system vulnerabilities.
- If a project has a need of using a specially protected environment, the project resources can be moved into VLAN, specially created for this project. In this case, the VMs moved to VLAN are combined into a separate network available only for the project users.
- In case the project uses VLAN, EPAM network engineers can configure the network so that the project network will become a part of the client's one.
- If the client has system engineers with appropriate expertise, it is also possible to activate an Amazon region for a project, and create a Virtual Private Network (VPC) there, so that it will be managed and controlled by the client’s system engineers who grant the necessary access to EPAM employees on request.

How can I provide access to EPAM Cloud for an external user?

You can grant access to an external user with the help of a simple user account. To create a simple user account, submit a request to the Cloud Support team. Please be aware that:

- A simple user account is linked to a specific project.

- A simple user account creation should be approved by the Project Manager.

- A simple user account has limited access to EPAM Cloud, and the set of the provided permissions is based on the details of the user creation request.

- A simple user account expires in 12 months after creation. However, you may prolong it by request to the Cloud Support Team.

Can Customer maintain security devices within its own cloud environment?

Currently, there are three solutions allowing customers to use their equipment within EPAM Cloud:

Creating a specific region, based on Customer's hardware (e.g., EPAM-SAP region)

Hosting customer's hardware devices in EPAM Cloud (assigning them to EPAM-HW1 region)

If the customer is interested in one of these options, or a combination of them, we can provide it by request. Please contact Dzmitry Pliushch, who is EPAM Cloud Change Manager, and he will coordinate the necessary processes.

How can I set up the access for external CI/CD tools for my project?

The access for external CI/CD tools like Jenkins is allowed via a service account. It can be created by request to the Cloud L1.5 Team and should comply the following syntax:


The access is provided to a service account by a unique UID, created by EPAM Orchestrator based on the account's credentials, and stored into a special ( file and in Orchestration's database.

Please be aware that the UID generated by EPAM Orchestrator gets expired in 12 months and the user cannot access Orchestrator with this UID, until it is updated.

It should be changed by the account owner each 12 months.

Describe whether and how you support data protection with external cloud based encryption and file level protection (such as DRM)?

File-level data protection and encryption is the responsibility of each project team. This is one of the points of EPAM Cloud Terms and Conditions document.

In addition, the basic principles on the security assurance are given on our Security Certifications page

What are your SSH keys management policies?

EPAM Cloud provides a set of commands for key management (See Maestro CLI User guide, Section 6: Security and Connection). These commands are available only for authorized users. EPAM Cloud retrieves information about existing users from UPSA once a day. Users sign in to EPAM Cloud using their domain credentials and EPAM SSO. UPSA users have roles and EPAM Cloud has default permission mapping for those roles (See User Permissions page). This way, only an authorized user that has enough permissions can use key management functionality. In addition, EPAM Cloud keeps log of every operation including key management with regard to who performed it.

Do you enable your tenant to manage their own keys?

Yes. EPAM Cloud allows key management operations on per-tenant basis.

Describe your key management processes to ensure secure storage of keys. How are the keys protected during generation and disposal?

An authorized user can create a new key only using EPAM Cloud Maestro CLI. CLI is an application located on user's workstation. CLI creates private part of the key and stores it on user's workstation. Private part of the key is not transmitted via network. The user is responsible for the private part of his key. CLI creates a corresponding public part of the key and sends it to EPAM Cloud Orchestrator server. CLI does not store any information about keys after creation. EPAM Cloud Orchestrator stores meta information about all created keys. Once a user gets dismissed or leaves a project (tenant), EPAM Cloud Orchestrator gathers information about the user's assets (including keys) and sends report to project (tenant) coordinators. At this point project members can either remove those assets or reassign them to other users. EPAM Cloud Orchestrator keeps log of every operation including user dismissal, user project change, resource deletion.

Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Each action the user performs on infrastructure is logged. One can get the events information using the or2audit Maestro CLI command, and the Audit page on Cloud Management console. Each event item description includes the information on the project (tenant) where the event occurred, event type, initiator or trigger, time, results, influenced resource. All the events are divided into six groups:

- Default - resource-related events

- ACS - auto-configuration events

- Hardware - events on hardware dedicated instances

- Maestro Stack - events related to Maestro Stacks usage

- Project - events related to AWS/Azure console access attempts and static IPs manipulations

- Jenkins/Docker/IAM - the events related to the respective service usage

The details on project event audit are given in the Account Management Guide (Section 6, Resources Audit).

Do you allow tenants to opt-out of having their data/metadata accessed via content inspection technologies?

Yes (by using a tenant-dedicated VLAN).

By default, all the VMs run in EPAM regions, are created in a default VLAN (Virtual Local Area Network). This gathers them within internal EPAM network and makes them inaccessible from Internet.

There is an opportunity to put the VMs assigned to your project (tenant) in a specific VLAN that can be created by request to the Help Desk. After a VM is moved to a custom VLAN, it cannot be put back to the default one.

Login to EPAM-based VMs can be performed only with the Domain Credentials, which are unique and personal for each user (EPAM employee). If a user is not assigned to a project, they cannot access this project's VMs.

There are no common default credentials for VMs in EPAM regions.

AWS-based instances can be put to VPCs (Amazon Virtual Private Cloud) to ensure higher network safety.

Do you specifically train your employees regarding their role vs. the tenant's role in providing information security controls?

The responsibilities of EPAM Cloud and project teams are described in EPAM Cloud Terms and Conditions document.

Each user has a specific set of cloud-related permissions, which depends on their project role. Any permission changes can be performed by project manager/coordinator or account manager, who can modify permission settings for a specific user on the project or for all users having a specific project role. The Account Management Guide (Section 5, User Permissions) provides the detailed information on the subject.

In the past six months the Cloud Consulting team delivered a number of trainings for project/account managers, aimed to help them improve their expertise in account management in Cloud.

Moreover, our Consulting group provides express training services for emergency cases, when it is necessary to quickly share the Cloud management knowledge with project management members. In case such training is needed, feel free to contact Svitlana Podkopaieva directly.

Do you provide tenants with a role definition document clarifying your administrative responsibilities vs. those of the tenant?

Yes, this information is provided in EPAM Cloud Terms and Conditions document.

Do you integrate customized tenant requirements into your security incident response plans?

Some Cloud-related facilities are implemented as a self-service. However, the most significant and security critical steps are performed by request on EPAM Support Portal.

Besides this, the 24/7 Support group provides necessary help within the scope of responsibilities defined by EPAM Cloud Terms and Conditions document.

Do you provide tenants with documentation that describes scenarios where data may be moved from one physical location to another (e.g., offsite backups, business continuity failovers, replication)?

Data movement from one location to another can be performed by the request from the project manager/coordinator (Move VM to another Project). In CSA-based regions a VM can be moved to a different VLAN using the or2mivlan command. For more details please refer to the Cloud Networking Service page.

According to the EPAM Cloud Terms and Conditions, the backup, replication and business continuity failover strategies are in scope of project teams responsibility.

Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?

When submitting a Project Activation Request, project manager specifies the regions in which the project should be activated.

Each region corresponds to its own geographic location. The full list of EPAM Cloud regions is given on this page (Pricing section).

In addition, the project manager/coordinator can use Cloud tools to control project expenses in each specific region (See Account Management Guide, Section 4: Project Quotas), manage the project roles and specific users' permissions (same doc, Section 5: User Permissions), set up restrictions on EPAM Cloud notifications (same doc, Section 10: Subscriptions)

I activated AWS Inspector on my account, but the VMs are not checked. How can I fix this?

To be able to perform the necessary actions, AWS Inspector needs specific agents to be installed on the VMs. Currently, these agents are to be installed manually, according to the instructions provided here.

How can I register an existing instance on Luminate?

Existing instances can be registered on Luminate via Maestro CLI - by means of the or2-register-on-luminate (or2lum) command:

or2lum -p -r -i

Once the instance is registered, you can check it at the EPAM Luminate Portal.

When you perform this command for Linux-based instances, the command response with included a link to the script,, which must be executed on your workstation in order to allow Luminate to be authorized to your virtual instance.

To execute the script,, please perform these commands:

wget $URL
chmod +x
sudo ./

This difference between the registration procedures for Windows- and Linux-based instances comes from the difference in how logging into instance is realized on different operating systems.

For Linux-based instances run before July 1, 2020, please edit the /etc/sssd/sssd.conf file - change case_sensitive = false to case_sensitive = Preserving.

You can read about logging into registered instances here.

How can I scan my instance if the Qualys agent is not installed yet?

In case the Qualys agent is not installed yet, or you need it earlier than 7 days after the instance was created, you can install the agent in terms of self-service. The instructions are provided by the Continuous Vulnerability Management (CVM) at the respective page.

I didn't find the answer to my question here. Where should I address?

If this section does not contain the answer to your question, please, address our Consulting Team.