Platform – Role & Permission Policy

Jul 25, 2024

Role

The Cloudsaver platform’s permission policy enables reading of environmental, operational, and resource data from the user’s AWS environment. The Cloudsaver platform uses this data to provide the user visibility of their resources within the platform; enrich resource data which is read and presented to the user through Cloudsaver applications; generate visualizations regarding cloud resource costs and bills; and identify specific cost saving opportunities for users. Additionally, this policy permits the Cloudsaver platform to create and modify those specific and unique resources within the user’s AWS environment which enable the Cloudsaver platform and applications to make connection to and read data regarding the user’s AWS environment.

The Cloudsaver platform does not install third-party agents within the user’s AWS environment. Furthermore, the Cloudsaver platform and applications are not permitted access to any client internal data by this permission policy.

The complete Cloudsaver platform AWS IAM permission policy and role are described within the Infrastructure as Code (IaC) templates or AWS CLI scripts available within the Cloudsaver platform Connection Wizard.

The Cloudsaver AWS IAM role is a cross-account role with the following trust policy:

Effect:	Allow
Principal:	“AWS”: “arn:aws:iam::357040809576:root”
Action:	“sts:AssumeRole”
Condition:StringEquals:	“sts:ExternalId”: “[unique External ID provided by the Cloudsaver platform at download]”
ManagedPolicyArns:	[Cloudsaver platform and application policy ARNs]
RoleName:	Cloudsaver-Role

Permission Policy

By default, the Cloudsaver platform IAM policy is named “CloudsaverPolicyBase”. The following table displays each statement in the Cloudsaver platform policy by its statement ID (SID) and describes the purpose for the permissions contained within that statement.

SID	Purpose
CloudsaveBase	Read permissions for resources & infrastructure to enrich tag data & comprehend relationships between entities
CloudsaverApiS3Bucket	Allows Tag Manager to manage the S3 bucket containing the CUR
CloudsaverApiS3BucketObjects
CloudsaverApiSaveBillingReportToS3	Allows Tag Manager to generate the CUR
CloudsaverApiSecretsManager	Limited permissions necessary to secure Tag Manager’s EventBridge monitoring
CloudsaverApiEvents	Allows configuration of Tag Manager EventBridge rules, targets, and destinations
CloudsaverApilamPassRole	Enables passing of the Cloudsaver role to EventBridge

In this article

Role
Permission Policy

FEATURE	BENEFIT
Tag Automation & Batch Tag Processing	Employ powerful automation to quickly and accurately tag cloud resources minimizing manual tasks and saving valuable time and effort. Reduce security vulnerabilities and human errors with accurate and swift tagging.
Real-time, Native Cloud Sync	Tag changes are reflected in real-time in native cloud service provider environments. Data is timely and accurate and can be leveraged with additional CloudSaver and third-party tools.
Tag Explorer Query Engine	Utilize our patented filtering and search technology for rapid and efficient location of client data across resources, zones, accounts, and service providers. This capability drastically reduces mean-time-to-resolution by quickly identifying key cloud data. Its deep dive, robust exploration enables you to “find anything.”
Tag Intelligence Dashboards & Tools	Benefit from a guided tag health experience that automatically delivers valuable insights without the need for customized reports or dashboards. These insights cover both your entire tag environment and also specific categories.
Customizable Dashboards	Create customized dashboards to display data according to your specific needs, offering real-time visibility into cloud resources, tags and spend. Obtain timely, accurate, and relevant data for insightful analysis and to identify tagging gaps.
Efficient Tag Remediation	Benefit from suggested, spell-checked tag keys and values – detect and batch merge tag variations.
Legacy Tagging Solutions	Retroactively tag or modify tags on existing legacy resources during cloud migration, either individually or in bulk and eliminate time-consuming manual efforts for smooth integration into your cloud environment.
Multi-Tenant & Multi-Cloud	Manage every cloud data set from a single screen across resources, zones, accounts, and cloud service providers (AWS and Azure).
Tag Policy Compliance Monitoring	Ingest tag policies from native cloud environments to ensure consistent tag syntax and taxonomy.
User Role & Permission Console	Enhance security with Identity and Access Management features contained in the permissions assigned through tagging.
Configuration Management Database (CMDB) Integration	The CloudSaver platform seamlessly incorporates CMDB data related to known cloud infrastructure, offering precise control, efficient tagging, and enhanced visibility by viewing, filtering, and sorting cloud resources based on CMDB data.