Added Bring Your Own Storage documentation

docs/testfairy/security/bring-your-own-storage.md

@@ -0,0 +1,101 @@
+---
+id: bring-your-own-storage
+title: Bring Your Own Storage
+sidebar_label: Bring Your Own Storage
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+Mobile App Distribution on a Private Cloud instance, allows you to *Bring Your Own Storage* and store the app artifacts on your own bucket.
+
+This document explains how to create a new bucket that can be then used by Mobile App Distribution.
+
+### Creating a bucket
+
+
+
+- `AWS region` is your own choice. Best would be in the same region as the compute instances.
+
+
+- `Bucket Name` should fit your own naming convention.
+
+
+- Here is what needs to be configured:
+
+  - `Bucket type`: General Purpose
+
+  - `Object ownership`: ACLs Disabled (all objects in this bucket are owned by this account)
+
+  - `Block Public Access settings for this bucket`: On
+
+  - `Default encryption`: SSE-S3 (for custom KMS, see next section)
+
+  - `Bucket Policy`:
+  ```json
+  {
+    "Version": "2012-10-17",
+    "Id": "mobile_app_distribution_policy",
+    "Statement": [
+      {
+        "Sid": "mobile_app_distribution_statement",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "<will be provided to you>"
+        },
+        "Action": [
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        "Resource": "arn:aws:s3:::<bucket name>/*"
+      }
+    ]
+  }
+  ```
+
+### Using SSE-KMS on Bucket
+
+In order to have objects in S3 encrypted with SSE-KMS, a Key Policy is required.
+
+Here is what's required:
+
+- Key is **required** to be created in the same region as the S3 bucket
+
+- Create with key type `Symmetric`, and key usage `Encrypt and Decrypt`
+
+- Paste this **Key Policy**:
+  ```json
+  {
+    "Version": "2012-10-17",
+    "Id": "mobile_app_distribution_key_policy",
+    "Statement": [
+      {
+        "Sid": "Allow Mobile App Distribution",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "<will be provided to you>"
+        },
+        "Action": [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "Enable IAM User Permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "arn:aws:iam::<your account id>:root"
+        },
+        "Action": "kms:*",
+        "Resource": "*"
+      }
+    ]
+  }
+  ```
+
+
+
+

docs/testfairy/security/private-cloud.md

@@ -18,22 +18,22 @@ Each Private Cloud instance operates independently, ensuring no shared resources
 
 #### Key Components
 
-- Dedicated Instance
+- **Dedicated Instance**
 
   A dedicated instance is provisioned for each Private Cloud. This guarantees that compute resources are
   not shared with other tenants, providing consistent performance, isolation and security. 
 
-- Dedicated Database 
+- **Dedicated Database** 
 
   Each Private Cloud instance comes with its own dedicated database. This ensures that all data is completely 
   isolated, providing enhanced data security and performance benefits.
 
-- Dedicated Data Storage (S3, GCS)
+- **Dedicated Data Storage (S3)**
 
   For object storage, each tenant has a dedicated S3 bucket. This ensures that files and data stored in the cloud 
   are securely isolated and managed separately.
 
-- Dedicated IP Address
+- **Dedicated IP Address**
 
   Each Private Cloud instance is assigned a dedicated IP address. This allows for better control over network traffic,
   improved security through IP whitelisting.
@@ -42,22 +42,22 @@ Each Private Cloud instance operates independently, ensuring no shared resources
 
 A Private Cloud instance can suit your needs better by its available customizations:
 
-- Select Hosted Region
+- **Select Hosted Region**
 
   You may decide where the data is hosted, select from one of AWS available regions.
 
-- Firewall Rules
+- **Firewall Rules**
 
   A dedicate IP address and instance also allows you to select custom firewall rules. For example, admin panel is
   only available through company VPN.
 
-- Custom Data Retention
+- **Custom Data Retention**
 
   Apply specific rules as to how long your files are stored and when they are removed
 
-- Provide S3-compliant Bucket
+- **Provide S3 Bucket**
 
-  Host the apps on your own S3 bucket (may that be AWS S3, GCP GCS or others). Your bucket, your rules. 
+  Host the apps on your own S3 bucket. Your bucket, your rules. 
 
 
 

sidebars.js

@@ -1188,6 +1188,7 @@ module.exports = {
                     collapsed: true,
                     items: [
                         'testfairy/security/private-cloud',
+                        'testfairy/security/bring-your-own-storage',
                         {
                             type: 'category',
                             label: 'Single Sign On',