Data Connection

Jul 26, 2024

How Cloudsaver Connects to Your Environment

Cloudsaver follows industry best practices and uses a role-based access methodology which includes the use of unique external IDs and tokens that automatically expire at intervals of no longer than one hour.

Clients create a role for the Cloudsaver platform and then assign permission policies to that role. The Cloudsaver platform must separately connect, with a role and permission policies, to each AWS account intended to be used with Cloudsaver applications.

The Client may disconnect Cloudsaver applications from their accounts & environment at any time, simply by removing the role and permission policies from those accounts.

Cloudsaver Connection Process

The Cloudsaver application assumes a cross-account role via AWS APIs and its features are allowed to function via the permission policies attached to that role.

To connect a client user must generally possess the following: IAM User access to the client’s AWS Management Account; the client’s AWS Management Account ID, and permission to create an IAM cross-account role and permissions policies. For clarity, if the client has not configured an AWS Organization and holds only one AWS account, that single account serves as the management account for connection purposes.

Cloudsaver offers three different connectivity processes to aid in deployment of the role and policies to client AWS accounts.

Infrastructure as Code (CloudFormation and Terraform)

Clients can connect with infrastructure as code (IaC) through CloudFormation or Terraform with Cloudsaver’s provided templates. Within the Cloudsaver app, clients enter the 12-digit AWS account ID, and Cloudsaver dynamically updates each template with references to the correct AWS ARNs and a unique external ID within the AWS IAM cross-account role trust policy.

At a minimum, the .yaml (CloudFormation) or .tf (Terraform) file provided should be uploaded and deployed via the respective service to the client’s AWS Organization management account.

The template must also be deployed within any member accounts the client wishes to connect. CloudFormation StackSets is recommended to quickly deploy the template across the AWS Organization.

Once the role and permission policies are deployed, the Cloudsaver app will verify account connectivity and display a successful connection when complete.

AWS Command Line Interface (CLI)

Cloudsaver also offers a faster and more automated connectivity process via a script run through the AWS Command Line Interface (CLI).

It is recommended that this be done through a CLI configured on the client’s local machine. Cloudsaver provides a script for Windows, Linux, and macOS to enable this.

Upon running the script provided for the client user’s operating system, the client will be prompted to select which AWS Organization member accounts, if any, to connect to Cloudsaver.

Instructions on managing Cloudsaver platform account connections can be found in Connection Management.

Roles & Permissions

The required AWS IAM cross-account role must be configured with a trust policy which allows the Cloudsaver application to assume the role. The trust policy allows role assumption from Cloudsaver’s AWS account, and is limited by the unique External ID provided to the client within the IaC templates or through CLI script.

To enable the Cloudsaver app’s functionality, additional IAM permission policies must be attached to the role. Cloudsaver adopts the principle of least privilege when connecting with Client environments. As such, the permission policies limit the Cloudsaver application’s access to only actions necessary for functionality.

Instructions on managing roles and permissions can be found in Roles & Permissions.

In this article

How Cloudsaver Connects to Your Environment
Cloudsaver Connection Process
Infrastructure as Code (CloudFormation and Terraform)
AWS Command Line Interface (CLI)
Roles & Permissions

FEATURE	BENEFIT
Tag Automation & Batch Tag Processing	Employ powerful automation to quickly and accurately tag cloud resources minimizing manual tasks and saving valuable time and effort. Reduce security vulnerabilities and human errors with accurate and swift tagging.
Real-time, Native Cloud Sync	Tag changes are reflected in real-time in native cloud service provider environments. Data is timely and accurate and can be leveraged with additional CloudSaver and third-party tools.
Tag Explorer Query Engine	Utilize our patented filtering and search technology for rapid and efficient location of client data across resources, zones, accounts, and service providers. This capability drastically reduces mean-time-to-resolution by quickly identifying key cloud data. Its deep dive, robust exploration enables you to “find anything.”
Tag Intelligence Dashboards & Tools	Benefit from a guided tag health experience that automatically delivers valuable insights without the need for customized reports or dashboards. These insights cover both your entire tag environment and also specific categories.
Customizable Dashboards	Create customized dashboards to display data according to your specific needs, offering real-time visibility into cloud resources, tags and spend. Obtain timely, accurate, and relevant data for insightful analysis and to identify tagging gaps.
Efficient Tag Remediation	Benefit from suggested, spell-checked tag keys and values – detect and batch merge tag variations.
Legacy Tagging Solutions	Retroactively tag or modify tags on existing legacy resources during cloud migration, either individually or in bulk and eliminate time-consuming manual efforts for smooth integration into your cloud environment.
Multi-Tenant & Multi-Cloud	Manage every cloud data set from a single screen across resources, zones, accounts, and cloud service providers (AWS and Azure).
Tag Policy Compliance Monitoring	Ingest tag policies from native cloud environments to ensure consistent tag syntax and taxonomy.
User Role & Permission Console	Enhance security with Identity and Access Management features contained in the permissions assigned through tagging.
Configuration Management Database (CMDB) Integration	The CloudSaver platform seamlessly incorporates CMDB data related to known cloud infrastructure, offering precise control, efficient tagging, and enhanced visibility by viewing, filtering, and sorting cloud resources based on CMDB data.