Cloud Capital Optimization Security Overview

Updated: 21th October 2024

At Cloud Capital, the security of our customers’ data is a top priority. We implement best-in-class security practices to ensure that all data accessed, processed, and stored through our cloud cost optimization tool is safe and compliant with industry standards. This document provides an overview of the security measures we follow, along with details on the integration with AWS, data collection practices, permissions granted, and how we safeguard your data.

This document should be viewed in conjunction with our Forecasting Security Overview. This document addresses the additive access or policies that relate to the Cloud Capital Optimization product and implementation.

Optimization Process

Account Transfer:

Your AWS Account will be moved into the Cloud Capital Organization as part of onboarding. This will be for all of your AWS unless otherwise noted with Cloud Capital. Upon accepting the invitation to join the Organization, you will adhere to the Service Control Policy which restricts your ability to purchase commitments.
A new “Commitment Container” account will be created by you and will be the account that all commitments that Cloud Capital makes will be bought in. This follows Amazon’s best practices of buying commitments within an empty account for optimal application across your Organization.

Purpose:

This transfer enables Cloud Capital to make purchasing commitments on your behalf, any additive discounts, and ensures the correct controls are in place to make those commitments.

Safeguards:

Cloud Infrastructure: We do not manage or control the resources in your accounts. You retain full responsibility for the technical operations, configuration, maintenance, and security of your cloud environment.
Customer Data: We do not access or handle customer data. You are fully responsible for managing your own data privacy, security, and compliance with data protection regulations. We only handle your cloud spend data and related business/financial information needed for cost optimization and billing.
Root Permissions: You retain full root-level access to all your accounts, ensuring complete control over account settings, configurations, and security measures.
Commitment Buying: Buying of commitments will be restricted to the “Commitment Account” while selling, listing, or modifying will be allowed in all accounts for existing reservations.

Data Collection & Usage

Data We Collect:

All data outlined in the Forecasting Security Overview is still collected, and maintains the same security policy.
The new Cloud Capital Optimization Role adds permissions for purchasing commitments and read only access for listing items like service quotas.
We access the cost and usage data of the new Organization through an export of the Cost and Usage Report that is the same as in the Forecasting product. Access to this data is required for the optimization process.

Purpose:

Our tool leverages this data to help forecast cloud costs based on historical spending patterns, resource usage, and commitment plans. The insights are used for continued financial forecasting, savings efficiency and commitment purchasing decisions.

Data Retention & Deletion:

We store your cost and usage data only for the duration of your use of the Cloud Capital platform. Upon request, and after leaving our optimization process, we can delete all collected data within 30 days of receiving a request to do so. We maintain strong controls over data retention to ensure that your data is not held longer than necessary.

Data Privacy & Compliance:

Cloud Capital complies with major data privacy regulations. We do not collect any end customer data other than the logins required for our application.

Third-Party Vendors:

Cloud Capital does share cost data through our Distributor partner for AWS, which is Pax8. We also use third-party tools for internal purposes, such as analytics, customer support, and payment processing. None of these services have access to your sensitive data.

Access & Permissions

Permissions & Role Details:

Cloud Capital provides a CloudFormation stack to enable the creation of an IAM Role with the following key attributes:
1. Cross-Account Role: The role allows Cloud Capital’s AWS account to assume the necessary permissions, strictly limited by the policies provided. This is the recommended approach by AWS (documentation) and we use a shared externalID that is a system generated UUID as suggested in the documentation.
2. Permissions:
  - This custom policy grants access to specific AWS services that are essential for cost optimization, such as:
    - Commitments:
      - ec2:AcceptReservedInstancesExchangeQuote
      - ec2:CancelReservedInstancesListing
      - ec2:CreateReservedInstancesListing
      - ec2:DeleteQueuedReservedInstances
      - ec2:ModifyReservedInstances
      - ec2:PurchaseHostReservation
      - ec2:PurchaseReservedInstancesOffering
      - cloudfront:CreateSavingsPlan
      - cloudfront:UpdateSavingsPlan
      - dynamodb:PurchaseReservedCapacityOfferings
      - elasticache:PurchaseReservedCacheNodesOffering
      - es:PurchaseReservedInstanceOffering
      - medialive:PurchaseOffering
      - rds:PurchaseReservedDbInstancesOffering
      - redshift:AcceptReservedNodeExchange
      - redshift:PurchaseReservedNodeOffering
      - savingsplans:*
      - servicequotas:RequestServiceQuotaIncrease
    - Read Permissions
      - support:*
      - ec2:Describe*
      - ec2:GetCapacityReservationUsage
      - ec2:GetReservedInstancesExchangeQuote

CloudFormation Details:

IAM Role Creation: The CloudFormation stack automatically creates an IAM Role with the name provided by the customer. This role is bound to the permissions specified above.
ARN Role: The generated ARN is required to connect the AWS account to Cloud Capital’s platform. This ensures secure, cross-account access is scoped and managed effectively.

The CloudFormation stack file can be reviewed here. It includes the IAM policy for the Role. The parameters in the stack are filled in automatically by the integration process.

Customizing Cross-Account IAM Role Permissions:

Modifying the Cross Account Role is not allowed as it restricts Cloud Capital of the needed access to perform optimizations.

Access Revocation and Deletion:

If a customer revokes access to the Cloud Capital role at any time, this would cause Cloud Capital to pursue cancellation of the contract as we will be unable to perform our contractual obligations.

Security Measures

Encryption:

Data in Transit: All communication between Cloud Capital and AWS is encrypted using TLS to ensure data is secure during transmission.
Data at Rest: In Cloud Capital all data at rest is encrypted with AWS encryption standards.

Least Privilege Access:

Permissions: Our integration requests only the minimum set of read-only permissions necessary to optimization of cloud costs and relies on the cost and usage data for forecasting. This minimizes risk and ensures that no customer resources are modified. Cloud Capital has no permissions to shut off or provision new resources, but only purchase commitments against resources that are expected to be used.

Logging and Audit Trails:

All interactions with customer data and platform actions are logged for audit purposes. This includes detailed audit trails of access, data retrieval, and changes within the system.
We record every commit decision and context for that decision, and the approvals that were given for those decisions.

FAQ

What happens to my AWS account during the Cloud Capital onboarding process?
Your AWS account is transferred into the Cloud Capital Organization. A new “Commitment Container” account will be created to manage purchasing commitments, ensuring optimal application of discounts.
Does Cloud Capital access or control the resources in my AWS account?
No, Cloud Capital does not manage or control any of your cloud resources. You maintain full responsibility for technical operations, security, and configuration of your AWS environment.
What data does Cloud Capital collect, and how is it used?
Cloud Capital only collects your cloud cost and usage data for the purpose of cost optimization. This data is used to forecast cloud costs, optimize savings, and inform commitment purchasing decisions.
Does Cloud Capital access my customer data?
No, Cloud Capital does not access or handle your customer data. We only interact with cloud spend data and financial information necessary for optimization and billing purposes.
What permissions do I need to grant Cloud Capital?
You will grant Cloud Capital a cross-account IAM Role with specific permissions to purchase cloud commitments and access cost data. These permissions are scoped to essential services and follow AWS best practices.
How does Cloud Capital secure my data during transmission and storage?
All data transmitted between Cloud Capital and AWS is encrypted using TLS. Additionally, data at rest in Cloud Capital’s systems is encrypted according to AWS encryption standards.
What happens if I revoke access to the Cloud Capital IAM Role?
If access is revoked, Cloud Capital will no longer be able to perform optimizations, which would lead to the cancellation of the contract as we won’t be able to meet our service commitments.
What logging and audit controls does Cloud Capital have in place?
Cloud Capital logs all interactions with your data and platform actions for audit purposes. This includes audit trails for data access, decision-making processes, and any changes made within the system.

Forecasting DevOps