Platform Role & Permission Policy

Role

The Cloudsaver platform's permission policy enables reading of environmental, operational, and resource data from the user's AWS environment. The Cloudsaver platform uses this data to provide the user visibility of their resources within the platform; enrich resource data which is read and presented to the user through Cloudsaver applications; generate visualizations regarding cloud resource costs and bills; and identify specific cost saving opportunities for users.

Additionally, this policy permits the Cloudsaver platform to create and modify those specific and unique resources within the user's AWS environment which enable the Cloudsaver platform and applications to make connection to and read data regarding the user's AWS environment.

The Cloudsaver platform does not install third-party agents within the user's AWS environment. Furthermore, the Cloudsaver platform and applications are not permitted access to any client internal data by this permission policy.

The complete Cloudsaver platform AWS IAM permission policy and role are described within the Infrastructure as Code (IaC) templates or AWS CLI scripts available within the Cloudsaver platform Connection Wizard.

Trust Policy

The Cloudsaver AWS IAM role is a cross-account role with the following trust policy:

• Effect: Allow
• Principal: "AWS": "arn:aws:iam::357040809576:root"
• Action:"sts:AssumeRole"
• Condition: sts:ExternalId set to the unique External ID provided by the Cloudsaver platform at download
• ManagedPolicyArns: Cloudsaver platform and application policy ARNs
• RoleName: Cloudsaver-Role

Permission Policy

By default, the Cloudsaver platform IAM policy is named "CloudsaverPolicyBase". The following table describes each statement in the Cloudsaver platform policy by its statement ID (SID) and the purpose of the permissions contained within that statement.

For security inquiries or to request a copy of our SOC 2 Type II report, contact us at security@cloudsaver.com.