Data Connection

How Cloudsaver Connects to Your Environment

Cloudsaver implements industry best practices using role-based access with unique external IDs and tokens that expire within one hour. Clients establish a dedicated role for the Cloudsaver platform with assigned permission policies. The platform must connect separately to each AWS account via cross-account role assumption.

Users can disconnect Cloudsaver from their accounts anytime by removing the role and associated policies.

Cloudsaver Connection Process

The application assumes a cross-account role through AWS APIs, with functionality governed by attached permission policies.

To connect, users typically need:

• IAM User access to the AWS Management Account
• The 12-digit AWS Management Account ID
• Permission to create cross-account IAM roles and policies

Note: Single AWS accounts function as management accounts for connection purposes.

Three Connectivity Options

Infrastructure as Code (CloudFormation and Terraform)

Clients input their AWS account ID within the Cloudsaver app. The platform dynamically updates templates with correct AWS ARNs and unique external IDs. Templates deploy to the organization's management account, with CloudFormation StackSets recommended for member account distribution. Upon successful deployment, the app verifies connectivity.

AWS Command Line Interface (CLI)

A faster, automated approach using scripts for Windows, Linux, and macOS. Users run the script and select which organization member accounts to connect.

Roles and Permissions

The cross-account role requires a trust policy enabling Cloudsaver to assume it, limited by the unique External ID. Permission policies follow the principle of least privilege, restricting access to only necessary actions.

For security inquiries or to request a copy of our SOC 2 Type II report, contact us at security@cloudsaver.com.