FAQsSecurityForecasting

Cloud Capital Forecasting Security Overview

Updated: 14th October 2024

At Cloud Capital, the security of our customers’ data is a top priority. We implement best-in-class security practices to ensure that all data accessed, processed, and stored through our cloud cost forecasting tool is safe and compliant with industry standards. This document provides an overview of the security measures we follow, along with details on the integration with AWS, data collection practices, permissions granted, and how we safeguard your data.

Data Collection & Usage

Data We Collect:

  • Cost and Usage Data: We access your AWS Cost and Usage Reports (CUR) and AWS Cost Explorer to gather cost and commitment usage data. This includes daily reports for the current billing cycle, which we use to forecast long-term cloud spend.

  • Commitment Data: The integration retrieves data from AWS Billing, and other services to get current commitments and cost optimizations that have been made.

Purpose:

  • Our tool leverages this data to help forecast cloud costs based on historical spending patterns, resource usage, and commitment plans. The insights are used purely for financial forecasting, savings efficiency and planning purposes.

Data Retention & Deletion:

  • We store your cost and usage data only for the duration of your use of the Cloud Capital platform. Upon request, we can delete all collected data within 30 days of receiving a request to do so. We maintain strong controls over data retention to ensure that your data is not held longer than necessary.

Data Privacy & Compliance:

  • Cloud Capital complies with major data privacy regulations. We do not collect any end customer data other than the logins required for our application.

Third-Party Vendors:

  • Cloud Capital does not share any cost data or personal data with third-party vendors. However, we use third-party tools for internal purposes, such as analytics, customer support, and payment processing. None of these services have access to your sensitive cost or usage data.

Data Integration Process

Integration Steps:

  1. Creating a Cost Data Export in AWS:

    • We guide customers to create a daily cost data export in AWS Billing & Cost Management, storing this data in an S3 bucket of your choice.

  2. IAM Policy & Role Setup:

    • Customers set up a cross-account role with a minimal permissions policy that grants us read-only access to the information mentioned above. The CloudFormation stack we provide ensures this access is clear and easy to provide.

  3. Data Collection:

    • Once the S3 bucket and IAM role are in place, we collect the cost data for processing. We only gather the required information, and the data remains under the control of the customer at all times.

  4. Testing & Validation:

    • Before enabling the integration, customers can review the access policy for the role to verify that we have access to the required data and nothing more.

Access & Permissions

Permissions & Role Details:

  • Cloud Capital provides a CloudFormation stack to enable the creation of an IAM Role with the following key attributes:

    1. Cross-Account Role: The role allows Cloud Capital’s AWS account to assume the necessary permissions, strictly limited by the policies provided. This is the recommended approach by AWS (documentation) and we use a shared externalID that is a system generated UUID as suggested in the documentation.

    2. Managed Policies: We use a ReadOnlyAccess policy, ensuring that our tool can only read the data without the ability to modify, create, or delete any resources.

    3. Data Access:

      • This custom policy grants access to specific AWS services that are essential for cost forecasting, such as:

        • AWS Cost Explorer (ce:*)

        • AWS Cost and Usage Reports (cur:*)

        • AWS Billing (billing:Get*)

        • AWS Organizations (organizations:Describe*)

        • AWS Pricing API (pricing:Get*)

      • S3 Bucket Access:

        • Read and list access to the S3 bucket where the Cost and Usage Reports are stored. This is scoped strictly to the designated bucket and paths related to the export.

      • EC2, Lambda, and RDS Describe Access:

        • Read only access to compute and database resource descriptions for cost mapping, commitments, and usage.

CloudFormation Details:

  • IAM Role Creation: The CloudFormation stack automatically creates an IAM Role with the name provided by the customer. This role is bound to the permissions specified above.

  • ARN Role: The generated ARN is required to connect the AWS account to Cloud Capital’s platform. This ensures secure, cross-account access is scoped and managed effectively.

The CloudFormation stack file can be reviewed here. It includes the IAM policy for the Role. The parameters in the stack are filled in automatically by the integration process.

Customizing Cross-Account IAM Role Permissions:

We allow customers to modify the Cross-Account IAM Role permissions if they require a more restricted set of permissions. Keep in mind that restricting permissions too much may impact functionality, such as retrieving cost data for certain services. If required, please contact our support team to facilitate this process.

Access Revocation and Deletion:

Customers can revoke access to Cloud Capital at any time by disabling the IAM Role or deleting the role in AWS. Customers can also delete their Cloud Capital account, which will result in the deletion of all data associated with that account within 30 days.

Security Measures

Encryption:

  • Data in Transit: All communication between Cloud Capital and AWS is encrypted using TLS to ensure data is secure during transmission.

  • Data at Rest: Cost data accessed from AWS remains in the customer’s S3 bucket, which is governed by your standards. In Cloud Capital all data at rest is encrypted with AWS encryption standards.

Least Privilege Access:

  • Read-Only Permissions: Our integration requests only the minimum set of read-only permissions necessary to forecast cloud costs. This minimizes risk and ensures that no customer resources are modified.

Logging and Audit Trails:

  • All interactions with customer data and platform actions are logged for audit purposes. This includes detailed audit trails of access, data retrieval, and changes within the system. Customers can request logs or audit data as part of their compliance requirements.

FAQ

1. What data does Cloud Capital collect from my AWS account?

We collect AWS Cost and Usage Reports (CUR) and Cost Explorer data to forecast cloud spending. No sensitive billing details or payment methods are accessed.

2. How is my data protected during transmission and storage?

All data in transit is encrypted using TLS, and data at rest is protected by AWS encryption standards such as SSE-S3 or SSE-KMS.

3. Can I revoke access to my AWS account?

Yes, you can revoke Cloud Capital’s access at any time by disabling or deleting the IAM Role in AWS.

4. Does Cloud Capital support customization of IAM roles?

Yes, you can customize IAM role permissions. However, reducing permissions may affect functionality. Contact support if you need assistance.

5. Does Cloud Capital share data with third parties?

No, we do not share your cost or usage data with any third parties. We may use third-party services for internal purposes, such as analytics and support, but they do not access sensitive data.

6. How does Cloud Capital handle data after I stop using the platform?

We store your data only while you use our platform. Upon account deletion or revocation of access, all associated data is deleted within 30 days.

7. How long does it take to revoke access after deleting the IAM role?

Access is revoked immediately after deleting or disabling the IAM role.

AWS Account SetupCost Optimization