Skip to content

🔒 Security

The security measures employed by unusd.cloud and our data handling practices are detailed in this page.

🧙 Hub and Spoke model

Our AWS IAM Role on each of your AWS accounts utilizes the Hub and Spoke model in order to track your unutilized resources and spending information through a few read-only AWS API calls.

The ExternalId or CustomerID employed by the AWS IAM Role is unique to each customer, effectively eliminating the confused deputy problem.

hub-spoke model

👀 Read-Only Permissions

Our AWS IAM Role is limited to read only actions which are listed below:

Version 0.7 - Updated on 2024-10-06
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "account:GetContactInformation",
        "account:ListRegions",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "cloudwatch:GetMetricStatistics",
        "ec2:Describe*",
        "ec2:List*",
        "elasticache:Describe*",
        "elasticloadbalancing:Describe*",
        "es:List*",
        "glue:GetDevEndpoints",
        "glue:GetTags",
        "iam:GetAccessKeyLastUsed",
        "iam:GetRole",
        "iam:List*",
        "logs:Describe*",
        "logs:List*",
        "pricing:GetProducts",
        "rds:Describe*",
        "rds:List*",
        "redshift:Describe*",
        "redshift:List*",
        "route53:List*",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging",
        "s3:GetObjectAttributes",
        "s3:GetObjectTagging",
        "s3:List*",
        "sagemaker:Describe*",
        "sagemaker:List*",
        "secretsmanager:Describe*",
        "secretsmanager:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

💾 Data storage

We do not persist any confidential AWS information. Only meta data configuration items are stored:

  1. AWS AccountIDs
  2. Email settings
  3. Webhooks (Slack / Microsoft Teams) URLs
  4. Prefered scan schedule
  5. History of potential savings and wasted resources (Reports)

🔒 Encryption Everywhere

TLS encryption is employed both at-rest and in-transit.