Skip to main content

Understanding Permissions and Security in CloudYali

At CloudYali, we prioritize your cloud security by following the principle of least privilege. This ensures that we request only the permissions necessary to provide cost analysis, monitoring, and cloud optimization insights, without compromising your cloud environment's security.

This document explains the permissions required for CloudYali to interact with your AWS and GCP environments, and how these permissions help maintain the security of your cloud resources.

Security Principles

CloudYali operates based on the following core security principles:

  • Least Privilege Access: We request only the permissions necessary for performing specific tasks, minimizing potential security risks.
  • No Write Permissions: CloudYali will never request write permissions in your cloud accounts, ensuring we cannot make changes to your environment.
  • Cross Account IAM Roles and Service Accounts: We use Cross Account IAM Roles (for AWS) and Service Accounts (for GCP) to provide secure, restricted access to your cloud environments without requiring access keys or login credentials.

AWS Permissions Overview

Cross Account IAM Role

For AWS, CloudYali uses a Cross Account IAM Role to access the necessary data for cost and security analysis. This role is created using an AWS CloudFormation template provided during the onboarding process. The IAM Role provides CloudYali with read-only access to AWS services to ensure we do not have permissions to make changes.

Required Permissions

  • ReadOnlyAccess: Grants read-only permissions for all AWS resources, allowing CloudYali to gather information about your cloud infrastructure.
  • CostExplorerFullAccess: Provides access to AWS Cost Explorer to collect cost and usage data.
  • CloudWatchReadOnlyAccess: Required to read metrics and performance data from AWS CloudWatch for monitoring purposes.

The Cross Account IAM Role includes a trust policy that allows CloudYali's AWS account to assume the role, ensuring secure access without sharing credentials. For more details, refer to the AWS IAM Role Setup Guide.

GCP Permissions Overview

Service Account Integration

For GCP, CloudYali uses a Service Account to securely access your cloud resources. This Service Account is created during onboarding and assigned specific roles to allow access to cost management and monitoring data.

Required Permissions

  • Viewer: Grants read-only access to all resources in your GCP project, enabling CloudYali to gather insights into your cloud environment.
  • BigQuery Job User: Required for running queries on the BigQuery dataset where billing data is exported.
  • Billing Account Viewer: Grants read-only access to billing information to help analyze and manage cloud spend.
  • Monitoring Viewer: Provides read-only access to metrics from Google Cloud Monitoring for real-time insights.

For more detailed instructions on setting up the Service Account, refer to the GCP Cost Management Onboarding Guide.

Data Security and Compliance

At CloudYali, we are committed to maintaining industry standards for data security and compliance:

  • Data Encryption: All data transmitted between CloudYali and your cloud provider is encrypted in transit using TLS. Data stored by CloudYali is encrypted at rest.
  • SOC 2 and GDPR Compliance: CloudYali adheres to SOC 2 and GDPR standards, ensuring that your data is handled in a secure and compliant manner.
  • Access Controls: Access to customer data within CloudYali is restricted based on role, with strict policies ensuring that only authorized personnel can access sensitive information.

Data Sharing

We do not share any data externally. We do not sell or share any user data with any third parties.

Data Deletion in Case of Account Deboarding

Upon account deboarding, CloudYali ensures that all user data is deleted. This includes all cloud cost data, metadata, and account information that was collected during the onboarding process. We take data deletion requests seriously and follow strict procedures to ensure the complete removal of data from our systems.

Frequently Asked Questions

Why does CloudYali need read-only permissions?

CloudYali requires read-only permissions to collect data about your cloud resources, costs, and usage. This allows us to provide insights and recommendations without making any modifications to your cloud environment.

Can I customize the permissions granted to CloudYali?

While we recommend using the permissions listed in this guide to ensure full functionality, you can customize the policies as long as the required access for cost and resource monitoring is maintained.

How does CloudYali ensure that my cloud environment remains secure?

CloudYali uses Cross Account IAM Roles (AWS) and Service Accounts (GCP) to securely access cloud environments without needing direct credentials. We also enforce the principle of least privilege, and all access is read-only, ensuring no changes can be made to your cloud resources.

How is customers’ data protected, and who has access to the data?

All data is encrypted in transit and at rest. Access to customer data is strictly controlled and limited to authorized CloudYali personnel only.

Do you log access activities of CloudYali's employees who have access to the data?

Yes.

Does CloudYali store any information regarding cloud infrastructure in the database?

Yes. We store basic metadata on cloud infrastructure to be able to show corresponding costs for associated resources. We cannot access any of the underlying resources or any information on those resources.

Does CloudYali hold any security certifications, such as SOC 2 or ISO 27001?

We are in the process of achieving our SOC 2 certification. The expected date is April 2024.

Does CloudYali have a bug bounty program or a straightforward process to report security issues?

CloudYali receives reports via support@cloudyali.io. We review every single report that we receive. We do not have a formal bug bounty program, but we do have a process as well as a set of policies and standards we follow to process security requests.

For any further questions or assistance with onboarding, please visit our Support Page.

© 2024 CloudYali. All rights reserved.

Last updated on by Nishant Thorat