Overview

DeepIntShield Enterprise provides private container image distribution through dedicated registries, enabling secure deployments in AWS, GCP, Azure, and on-premise environments.

Architecture

DeepIntShield uses a hub-and-spoke model with two container registries optimized for each cloud platform:

flowchart TB
    subgraph DeepIntShieldInfra[DeepIntShield Infrastructure]
        CICD[CI/CD Pipeline]
        GCR[GCP Artifact Registry]
        ECR[AWS ECR]
    end

    subgraph Customers[Customer Environments]
        subgraph AWSCustomer[AWS Customers]
            EKS[EKS Cluster]
            ECS[ECS Service]
        end
        subgraph GCPCustomer[GCP Customers]
            GKE[GKE Cluster]
        end
        subgraph AzureCustomer[Azure Customers]
            AKS[AKS Cluster]
        end
        subgraph OnPrem[On-Premise]
            K8S[Kubernetes]
            Docker[Docker]
        end
    end

    CICD -->|Push| GCR
    CICD -->|Push| ECR

    ECR -->|IRSA| EKS
    ECR -->|Task Role| ECS
    GCR -->|Workload Identity| GKE
    GCR -->|Azure WIF| AKS
    GCR -->|Basic Auth| OnPrem

Registry Distribution

Customer Cloud	Registry Source	Why
AWS	AWS ECR	Native IAM integration, lowest latency within AWS
GCP	GCP Artifact Registry	Native Workload Identity, lowest latency within GCP
Azure	GCP Artifact Registry	Workload Identity Federation from Azure to GCP
On-Premise	GCP Artifact Registry	Basic auth with username/password credentials

Authentication Methods

Choose the authentication method based on your deployment environment:

Environment	Method	Security Level	Setup Complexity
AWS EKS	IRSA	High	Medium
AWS ECS	IAM Task Roles	High	Low
GCP GKE	Workload Identity	High	Low
Azure AKS	Azure WIF	High	Medium
On-Premise	Basic Auth	Medium	Low

Note

Cloud-native identity federation (IRSA, Workload Identity, Azure WIF) is recommended over static credentials for production deployments.

Security Features

Encryption

• In-Transit: All registry communication uses TLS 1.3
• At-Rest: Images encrypted using cloud-native encryption (AWS KMS, GCP CMEK)

Access Control

• IAM-based: Fine-grained permissions using cloud IAM policies
• Audit Logging: All image pull operations are logged for compliance
• IP Restrictions: Optional VPC Service Controls (GCP) or VPC endpoints (AWS)

Image Security

• Vulnerability Scanning: Automatic scanning on push
• Immutable Tags: Optional tag immutability to prevent overwrites
• Signed Images: Container image signatures for verification

Prerequisites

Before deploying DeepIntShield Enterprise, ensure you have:

AWS

• AWS account with ECR access
• EKS cluster (v1.23+) or ECS cluster
• IAM permissions to create roles and policies
• kubectl and aws CLI configured

GCP

• GCP project with Artifact Registry API enabled
• GKE cluster (v1.24+) with Workload Identity enabled
• IAM permissions for service account management
• kubectl and gcloud CLI configured

Azure

• Azure subscription with AKS
• AKS cluster (v1.24+) with Workload Identity enabled
• Permissions to create Managed Identities
• kubectl and az CLI configured

On-Premise

• Kubernetes cluster (v1.23+) or Docker runtime
• Network access to us-central1-docker.pkg.dev
• Docker credentials provided by DeepIntShield team

Getting Started

AWS Deployment

Deploy on EKS or ECS with IRSA authentication

Open →

GCP Deployment

Deploy on GKE with Workload Identity

Open →

Azure Deployment

Deploy on AKS with Azure Workload Identity Federation

Open →

On-Premise

Deploy anywhere with Docker credentials

Open →

Support

For enterprise deployment assistance:

• Email: contact@getmaxim.ai
• Slack: Connect via Slack Connect for real-time support
• Documentation: Platform-specific guides linked above