Resources Created for Cloudsaver Platform Connection
After the client has connected the Cloudsaver platform to their AWS account(s), certain resources are created in the client’s environment to support the data exchange necessary to enable the features of the Cloudsaver platform and applications.
Permissions to create these resources are granted by the IAM permission policies attached to the Cloudsaver-Role. The full list of resource creation permissions allowed can be found within the Infrastructure as Code (IaC) templates or AWS CLI script downloadable through the Cloudsaver platform Connection Wizard. They include:
- An S3 bucket into which the AWS Cost and Usage Reports (CUR) may be saved
- An AWS Cost and Usage Reports report definition to enable the generation and cost data
- Amazon EventBridge connection, API destination, rule, and target resources to enable near real-time synchronization between data viewable in the CloudSaver platform and the client’s AWS environment
- AWS Secrets Manager secrets to secure and authenticate the EventBridge API calls to the CloudSaver platform
- An IAM service linked role for EventBridge
The permission policies also enable the CloudSaver platform to modify and delete those resources.
The principle of least privilege is followed by the permission policy conditions that allow creation, modification, and deletion of only those specific Amazon Resource Names (ARNs) which enable the connection.
Client Actions Taken Through Cloudsaver
The Cloudsaver platform does not make any changes to the client’s cloud environment or resources without that client initiating or approving such change.
Cloudsaver will, through different features, propose recommendations or make suggestions for action based on data from the client’s environment, but will not execute those actions without affirmative approval from the client user.
Client users may establish certain automated procedures within Cloudsaver that make changes on their behalf based on predetermined triggers and rules. This automation is available only for specific types of changes, and after configuration remains viewable and editable by the client user as needed.
Client-Side Role Based Access Control (RBAC)
Cloudsaver enables client user administrators to limit or remove the access of other client users by configuring RBAC within the Cloudsaver platform. For example, a Cloudsaver platform Role may be established which limits access to specific resources within the client environment or specific client accounts.
Actions which client users can take through the Cloudsaver platform and applications are no greater than those allowed to the Cloudsaver-Role. Administrative users may then limit those actions further at the individual user level within the Cloudsaver platform itself using Roles.
Clients with multiple users accessing the Cloudsaver applications are encouraged to create & apply Roles which allow only actions comparable to those each user would otherwise possess in the client’s environment.