Skip to content

Security

This page describes how unusd.cloud accesses your AWS environment and how we handle your data.

Hub and Spoke Model

unusd.cloud uses a hub and spoke architecture. We deploy a read-only IAM Role in each of your AWS accounts that allows our scanner to read resource metadata and cost data through read-only AWS API calls.

Each IAM Role uses an ExternalId (your CustomerID) that is unique to your organization, eliminating the confused deputy problem.

hub-spoke model

Read-Only Permissions

The IAM Role is limited to read-only actions. We use the AWS managed policy SecurityAudit as a baseline, supplemented by a small set of additional read-only permissions for cost analysis and resource scanning.

AWS Managed Policy

  • SecurityAudit (arn:aws:iam::aws:policy/SecurityAudit): AWS-maintained read-only policy covering a broad range of services for security auditing. Managed and kept up-to-date by AWS.

Additional Inline Permissions

The following read-only permissions are not covered by SecurityAudit and are required for cost analysis, metrics collection, and resource scanning:

Version 1.3 - Additional Permissions
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AdditionalReadOnlyPermissions",
      "Action": [
        "account:GetContactInformation",
        "account:ListRegions",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetReservationCoverage",
        "ce:GetReservationPurchaseRecommendation",
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansCoverage",
        "ce:GetSavingsPlansPurchaseRecommendation",
        "ce:GetSavingsPlansUtilization",
        "ce:GetSavingsPlansUtilizationDetails",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cost-optimization-hub:GetPreferences",
        "cost-optimization-hub:GetRecommendation",
        "cost-optimization-hub:ListEfficiencyMetrics",
        "cost-optimization-hub:ListEnrollmentStatuses",
        "cost-optimization-hub:ListRecommendationSummaries",
        "cost-optimization-hub:ListRecommendations",
        "glue:GetSession",
        "glue:ListSessions",
        "logs:GetLogEvents",
        "pricing:GetProducts",
        "s3:GetObjectAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Data Storage

We do not persist any confidential AWS information. Only the following metadata is stored:

  1. AWS Account IDs
  2. Email settings
  3. Webhook URLs (Slack / Microsoft Teams)
  4. Preferred scan schedule
  5. Scan history: potential savings, resource counts, and cost metrics

Encryption

  • At rest: All data is encrypted using AES-256 (DynamoDB server-side encryption)
  • In transit: All API calls and data transfers use TLS 1.2+

Keep on chasing 🧡