Skip to content

🔒 Security

The security measures employed by unusd.cloud and our data handling practices are detailed in this page.

🧙 Hub and Spoke model

Our AWS IAM Role on each of your AWS accounts utilizes the Hub and Spoke model in order to track your unutilized resources and spending information through a few read-only AWS API calls.

The ExternalId or CustomerID employed by the AWS IAM Role is unique to each customer, effectively eliminating the confused deputy problem.

hub-spoke model

👀 Read-Only Permissions

Our AWS IAM Role is limited to read only actions. We leverage the AWS managed policy SecurityAudit as a baseline, supplemented by a small set of additional read-only permissions required for cost analysis and resource scanning.

AWS Managed Policy

  • SecurityAudit (arn:aws:iam::aws:policy/SecurityAudit) — AWS-maintained read-only policy covering a broad range of services for security auditing purposes. This policy is managed and kept up-to-date by AWS.

Additional Inline Permissions

The following read-only permissions are not included in the SecurityAudit managed policy and are required for cost analysis, metrics collection, and resource scanning:

Version 1.2 — Additional Permissions
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AdditionalReadOnlyPermissions",
      "Action": [
        "account:GetContactInformation",
        "account:ListRegions",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetReservationCoverage",
        "ce:GetReservationPurchaseRecommendation",
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansCoverage",
        "ce:GetSavingsPlansPurchaseRecommendation",
        "ce:GetSavingsPlansUtilization",
        "ce:GetSavingsPlansUtilizationDetails",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "glue:GetSession",
        "glue:ListSessions",
        "logs:GetLogEvents",
        "pricing:GetProducts",
        "s3:GetObjectAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

💾 Data storage

We do not persist any confidential AWS information. Only metadata configuration items are stored:

  1. AWS AccountIDs
  2. Email settings
  3. Webhooks (Slack / Microsoft Teams) URLs
  4. Preferred scan schedule
  5. History of potential savings and wasted resources (Reports)

🔒 Encryption Everywhere

TLS encryption is employed both at-rest and in-transit.