How Cloudsaver Connects to Your Environment
Cloudsaver follows industry best practices and uses a role-based access methodology which includes the use of unique external IDs and tokens that automatically expire at intervals of no longer than one hour.
Clients create a role for the Cloudsaver platform and then assign permission policies to that role. The Cloudsaver platform must separately connect, with a role and permission policies, to each AWS account intended to be used with Cloudsaver applications.
The Client may disconnect Cloudsaver applications from their accounts & environment at any time, simply by removing the role and permission policies from those accounts.
Cloudsaver Connection Process
The Cloudsaver application assumes a cross-account role via AWS APIs and its features are allowed to function via the permission policies attached to that role.
To connect a client user must generally possess the following: IAM User access to the client’s AWS Management Account; the client’s AWS Management Account ID, and permission to create an IAM cross-account role and permissions policies. For clarity, if the client has not configured an AWS Organization and holds only one AWS account, that single account serves as the management account for connection purposes.
Cloudsaver offers three different connectivity processes to aid in deployment of the role and policies to client AWS accounts.
Infrastructure as Code (CloudFormation and Terraform)
Clients can connect with infrastructure as code (IaC) through CloudFormation or Terraform with Cloudsaver’s provided templates. Within the Cloudsaver app, clients enter the 12-digit AWS account ID, and Cloudsaver dynamically updates each template with references to the correct AWS ARNs and a unique external ID within the AWS IAM cross-account role trust policy.
At a minimum, the .yaml (CloudFormation) or .tf (Terraform) file provided should be uploaded and deployed via the respective service to the client’s AWS Organization management account.
The template must also be deployed within any member accounts the client wishes to connect. CloudFormation StackSets is recommended to quickly deploy the template across the AWS Organization.
Once the role and permission policies are deployed, the Cloudsaver app will verify account connectivity and display a successful connection when complete.
AWS Command Line Interface (CLI)
Cloudsaver also offers a faster and more automated connectivity process via a script run through the AWS Command Line Interface (CLI).
It is recommended that this be done through a CLI configured on the client’s local machine. Cloudsaver provides a script for Windows, Linux, and macOS to enable this.
Upon running the script provided for the client user’s operating system, the client will be prompted to select which AWS Organization member accounts, if any, to connect to Cloudsaver.
Instructions on managing Cloudsaver platform account connections can be found in Connection Management.
Roles & Permissions
The required AWS IAM cross-account role must be configured with a trust policy which allows the Cloudsaver application to assume the role. The trust policy allows role assumption from Cloudsaver’s AWS account, and is limited by the unique External ID provided to the client within the IaC templates or through CLI script.
To enable the Cloudsaver app’s functionality, additional IAM permission policies must be attached to the role. Cloudsaver adopts the principle of least privilege when connecting with Client environments. As such, the permission policies limit the Cloudsaver application’s access to only actions necessary for functionality.
Instructions on managing roles and permissions can be found in Roles & Permissions.