Data Change Management

Jul 26, 2024

Resources Created for Cloudsaver Platform Connection

After the client has connected the Cloudsaver platform to their AWS account(s), certain resources are created in the client’s environment to support the data exchange necessary to enable the features of the Cloudsaver platform and applications.

Permissions to create these resources are granted by the IAM permission policies attached to the Cloudsaver-Role. The full list of resource creation permissions allowed can be found within the Infrastructure as Code (IaC) templates or AWS CLI script downloadable through the Cloudsaver platform Connection Wizard. They include:

An S3 bucket into which the AWS Cost and Usage Reports (CUR) may be saved
An AWS Cost and Usage Reports report definition to enable the generation and cost data
Amazon EventBridge connection, API destination, rule, and target resources to enable near real-time synchronization between data viewable in the CloudSaver platform and the client’s AWS environment
AWS Secrets Manager secrets to secure and authenticate the EventBridge API calls to the CloudSaver platform
An IAM service linked role for EventBridge

The permission policies also enable the CloudSaver platform to modify and delete those resources.

The principle of least privilege is followed by the permission policy conditions that allow creation, modification, and deletion of only those specific Amazon Resource Names (ARNs) which enable the connection.

Client Actions Taken Through Cloudsaver

The Cloudsaver platform does not make any changes to the client’s cloud environment or resources without that client initiating or approving such change.

Cloudsaver will, through different features, propose recommendations or make suggestions for action based on data from the client’s environment, but will not execute those actions without affirmative approval from the client user.

Client users may establish certain automated procedures within Cloudsaver that make changes on their behalf based on predetermined triggers and rules. This automation is available only for specific types of changes, and after configuration remains viewable and editable by the client user as needed.

Client-Side Role Based Access Control (RBAC)

Cloudsaver enables client user administrators to limit or remove the access of other client users by configuring RBAC within the Cloudsaver platform. For example, a Cloudsaver platform Role may be established which limits access to specific resources within the client environment or specific client accounts.

Actions which client users can take through the Cloudsaver platform and applications are no greater than those allowed to the Cloudsaver-Role. Administrative users may then limit those actions further at the individual user level within the Cloudsaver platform itself using Roles.

Clients with multiple users accessing the Cloudsaver applications are encouraged to create & apply Roles which allow only actions comparable to those each user would otherwise possess in the client’s environment.

In this article

Resources Created for Cloudsaver Platform Connection
Client Actions Taken Through Cloudsaver
Client-Side Role Based Access Control (RBAC)

FEATURE	BENEFIT
Tag Automation & Batch Tag Processing	Employ powerful automation to quickly and accurately tag cloud resources minimizing manual tasks and saving valuable time and effort. Reduce security vulnerabilities and human errors with accurate and swift tagging.
Real-time, Native Cloud Sync	Tag changes are reflected in real-time in native cloud service provider environments. Data is timely and accurate and can be leveraged with additional CloudSaver and third-party tools.
Tag Explorer Query Engine	Utilize our patented filtering and search technology for rapid and efficient location of client data across resources, zones, accounts, and service providers. This capability drastically reduces mean-time-to-resolution by quickly identifying key cloud data. Its deep dive, robust exploration enables you to “find anything.”
Tag Intelligence Dashboards & Tools	Benefit from a guided tag health experience that automatically delivers valuable insights without the need for customized reports or dashboards. These insights cover both your entire tag environment and also specific categories.
Customizable Dashboards	Create customized dashboards to display data according to your specific needs, offering real-time visibility into cloud resources, tags and spend. Obtain timely, accurate, and relevant data for insightful analysis and to identify tagging gaps.
Efficient Tag Remediation	Benefit from suggested, spell-checked tag keys and values – detect and batch merge tag variations.
Legacy Tagging Solutions	Retroactively tag or modify tags on existing legacy resources during cloud migration, either individually or in bulk and eliminate time-consuming manual efforts for smooth integration into your cloud environment.
Multi-Tenant & Multi-Cloud	Manage every cloud data set from a single screen across resources, zones, accounts, and cloud service providers (AWS and Azure).
Tag Policy Compliance Monitoring	Ingest tag policies from native cloud environments to ensure consistent tag syntax and taxonomy.
User Role & Permission Console	Enhance security with Identity and Access Management features contained in the permissions assigned through tagging.
Configuration Management Database (CMDB) Integration	The CloudSaver platform seamlessly incorporates CMDB data related to known cloud infrastructure, offering precise control, efficient tagging, and enhanced visibility by viewing, filtering, and sorting cloud resources based on CMDB data.