Registering and Vetting Plugins

All plugins must go through a vetting process before becoming registered and available in the Cloud Compute options.

Security Discussion

  • Since EC2 uses a persistent OS, it may require STIG-compliance
    • Lambda does not require STIG since no OS, but can only be used for fast jobs due to limits of 15 minutes and 10 GB.
  • Other Security Considerations
    • KeyCloak + ActiveDirectory probably will not satisfy military IT requirements
    • All data must be "unclassified" which can fall under "public" or "controlled, unclassified" (CUI). PII is an example of CUI.
    • Should avoid CUI so we can operate in "Information Level 2" cloud environment.
    • Dam breach models may be gray area according to some.


    • Cannot let users to attach their own bucket to the system, could more easily create a new USACE-controlled bucket and give them access.
    • Security group architecture could be inspired by existing used for USACE's Model Library
    • One option to avoid CUI/PII is to associate with a UUID map.
    • Registering a plugin will require Cloud Compute SysAdmin creds.
    • Some stakeholders may wish to just view data without needing login.gov authentication.
    • Care should be taken to avoid high egress costs as access is broadened.
    • CWBI technical team will need to approve security setup.


  • Questions
    • Account admin: should new users by "invited" to access, vs should they "request" access?
      • Either way, need an elegant solution to manage this (no "email this person")


    • Can we apply for federal program to reduce egress fees for "Open Data Portals"?
    • If JSON Web Token (JWT) used for frontend access, how does trust propagate? At the Cloud Compute-level, or Plugin-level, or Instance-level? A: if our VPC/subnets are set up right, might not need to pass credentials down into the Instances.
    • Would we use GRID system, e.g. multiple clouds? A: no, try CWBI under AIS umbrella. us-east1 preferred.
    • Do we need CSM?
    • How many instances of Cloud Compute itself?
    • How will Plugin Manifests define suggested compute resource types? (EC2 vs Lambda vs Batch).


Scripting Native to Applications

All of the HEC Products (HEC-HMS, HEC-RAS, and HEC-ResSim) all provide some level of scripting within their model capabilities. This means almost anyone can write arbitrary code to execute as part of a model run. To limit exposure the team decided that limiting the access of the plugin containers is a reasonable solution to limit the capabilities.


  • Some runtimes support scripts to be defined in the model data and executed; need to avoid running untrusted scripts:
    • HEC-ResSim with Python/Jython
    • HEC-HMS with Python/Jython
    • Others