Cloudanix uses AWS recommended approach called Cross Account IAM Roles to sync information from your AWS account and it’s resources. We do not store any sensitive information like your AWS Account Access Keys and Access Secrets inside Cloudanix. Read more here.

Connecting to your account for the first time

We use a CloudFormation template to create a Stack to create appropriate roles to get the access to your account. This creates a cross account role with minimal permission set.

Monitored Regions

Out of the box, all the Regions are monitored by Cloudanix. For Opt-In Regions in AWS, enable the Region in your AWS Console.

  • US East (Ohio) - us-east-2
  • US East (Virginia) - us-east-1
  • US West (N. California) - us-west-1
  • US West (Oregon) - us-west-2
  • Asia Pacific (Mumbai) - ap-south-1
  • Asia Pacific (Osaka) - ap-northeast-3
  • Asia Pacific (Seoul) - ap-northeast-2
  • Asia Pacific (Singapore) - ap-southeast-1
  • Asia Pacific (Sydney) - ap-southeast-2
  • Asia Pacific (Tokyo) - ap-northeast-1
  • Canada (Central) - ca-central-1
  • Europe (Frankfurt) - eu-central-1
  • Europe (Ireland) - eu-west-1
  • Europe (London) - eu-west-2
  • Europe (Paris) - eu-west-3
  • Europe (Stockholm) - eu-north-1
  • South America (São Paulo) - sa-east-1
  • Africa (Cape Town) - af-south-1
  • Asia Pacific (Hong Kong) - ap-east-1
  • Asia Pacific (Hyderabad) - ap-south-2
  • Asia Pacific (Jakarta) - ap-southeast-3
  • Asia Pacific (Melbourne) - ap-southeast-4
  • Canada West (Calgary) - ca-west-1
  • Europe (Milan) - eu-south-1
  • Europe (Spain) - eu-south-2
  • Europe (Zurich) - eu-central-2
  • Israel (Tel Aviv) - il-central-1
  • Middle East (Bahrain) - me-south-1
  • Middle East (UAE) - me-central-1

All Regions supported by AWS.

Permissions

We are very diligent and prescriptive of the permissions we ask for. Depending upon which capabilities you pick, corresponding permissions are requested. For e.g. if you chose to use only Misconfig capability, then our permissions are strictly READ-ONLY permissions only! These policies are customized to get us minimal permissions and also which do not share any sensitive information from your account. You can always examine the CloudFormation template before you execute it in your AWS account.

Misconfig Capability

We have taken enough time and done through analysis to seek out the minimal permission set required to run effective audit against your AWS account. More details here.

Events, Threats & Anomaly Detection Capability

Permissions
  cloudtrail:CreateTrail
  cloudtrail:ListTrails
  cloudtrail:StartLogging
  s3:CreateBucket
  s3:PutBucketObjectLockConfiguration
  s3:PutBucketPolicy
  s3:PutBucketPublicAccessBlock
  s3:PutBucketVersioning
  s3:PutObject
  events:DeleteRule
  events:DisableRule
  events:EnableRule
  events:PutRule
  events:PutTargets
  events:RemoveTargets

Following permissions are scoped to the Event Bus of Cloudanix Production AWS Account.

Permissions
  events:PutEvents

IAM Right Sizing Capability

Permissions
  athena:BatchGetQueryExecution
  athena:GetQueryExecution
  athena:GetQueryResults
  athena:StartQueryExecution
  glue:CreateDatabase

Following permissions are scoped to the S3 Bucket created by Cloudanix.

Permissions
  s3:GetObject
  s3:DeleteObject

IAM JIT Capability

Permissions
  arn:aws:iam::aws:policy/IAMFullAccess

Remediation Capability

Permissions
  arn:aws:iam::aws:policy/PowerUserAccess

Customizing Permissions

If your security teams require to future trim down the permissions, we are always receptive to that. Please reach out to us and we can work together with your teams and get this accomplished. Please note that this could result in curtailing certain features.

Disconnecting your AWS account

We don’t play any gimmick or ask you to Contact Us, if you decide to disconnect your account. It’s a self-serve feature where you can disconnect the account at your own will, whenever you feel like. Ofcourse, we don’t want that but we also don’t want you to jump through a lot of hoofs to get it accomplished. As soon as you delete your account, we also delete all the data associated with it.

Who has access to your data within Cloudanix team?

Just two team members, who are also the founders of Cloudanix. We all come from Infrastructure, Cloud, Web hosting and SaaS applications background. Our team members have worked across the globe in NYC, SF, London and India. We ensure that security of your accounts and data is the First Priority at Cloudanix. No compromises there at all.

If you have any other questions or feedback for us, please feel free to email us at [email protected]