Data Change Management

Resources Created for Cloudsaver Platform Connection

After clients connect the Cloudsaver platform to their AWS account(s), certain resources are created in the client's environment to support data exchange necessary for Cloudsaver platform features and applications.

Permissions to create these resources are granted by IAM permission policies attached to the Cloudsaver-Role. The full list of resource creation permissions includes:

• An S3 bucket for AWS Cost and Usage Reports (CUR) storage
• An AWS Cost and Usage Reports report definition enabling cost data generation
• Amazon EventBridge connection, API destination, rule, and target resources enabling near real-time synchronization between the Cloudsaver platform data and the client's AWS environment
• AWS Secrets Manager secrets securing and authenticating EventBridge API calls to the Cloudsaver platform
• An IAM service linked role for EventBridge

The permission policies enable the Cloudsaver platform to modify and delete those resources. The principle of least privilege is followed by permission policy conditions allowing creation, modification, and deletion of only specific Amazon Resource Names (ARNs) enabling the connection.

Client Actions Taken Through Cloudsaver

The Cloudsaver platform does not make any changes to the client's cloud environment or resources without that client initiating or approving such change.

Cloudsaver proposes recommendations and suggestions based on client environment data but will not execute actions without affirmative client user approval. Client users may establish automated procedures within Cloudsaver that make changes based on predetermined triggers and rules. This automation applies only to specific change types and remains viewable and editable by client users.

Client-Side Role Based Access Control (RBAC)

Cloudsaver enables client user administrators to limit or remove access of other users by configuring RBAC within the platform. A Cloudsaver platform Role may restrict access to specific resources within the client environment or specific client accounts.

Actions client users can take through Cloudsaver applications are no greater than those allowed to the Cloudsaver-Role. Administrative users may limit actions further at the individual user level using Roles. Clients with multiple users accessing Cloudsaver applications are encouraged to create and apply Roles allowing only actions comparable to those each user would possess in their environment.

For security inquiries or to request a copy of our SOC 2 Type II report, contact us at security@cloudsaver.com.