Security

General

We take all the security precautions in order to ensure that the way how our users communicates with our app and how their data is stored and accessed is secured as much as possible. Here are main steps that we take to ensuring this:

• Encryption of Data in Transit: To ensure secure connections all communications with our app and APIs use Transport Layer Security (TLS, formerly called Secure Sockets Layer [SSL])
• Encryption of Data at Rest: Our databases and files are encrypted using one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256)
• Encrypted Backups: Our databases are continuously backed up with Point-in-Time Recovery
• User Authentication / Authorization: For user authentication, authorization we use AWS Cognito service which is compliant with SOC 1-3, PCI DSS, ISO 27001, and is HIPAA-BAA eligible. You can verify this here
• Data Access: All synced data, diagrams, generation profiles are only accessable by you. Cloudviz employees will never access that data. Only exception would be incase of support requests from your side
• Data Center: Cloudviz.io is hosted in AWS data centers which has a long list of internationally-recognized certifications like ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1

Connecting your cloud

Cross-acount roles with external id

In order to securely connect your cloud environment to our app we use cross-account roles with unique external id generated by us for each subscriber. You have to create this role in your AWS IAM (Identity and Access Management) using our provided AWS account number and unique external id. Check our app for detailed steps.

If you are interested in more details about security using cross-account roles with external id please read this comprehensive guide from AWS team

Read Only Policy

The easy way is to use "ReadOnlyAccess" policy which will provide read-only access to your AWS services and resources. The other more strict option is to create your own policy and decide which services your will grant read access to. We will only import and display resources our app has permission for. Please see below for our suggested custom read-only policy in order to use our app's sync functionality fully:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "dynamodb:ListTables",
                "ses:List*",
                "dynamodb:ListTagsOfResource",
                "s3:List*",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "rds:Describe*",
                "dynamodb:DescribeTable",
                "glacier:List*",
                "timestream:List*",
                "timestream:Describe*",
                "elasticache:List*",
                "route53:List*",
                "elasticloadbalancing:Describe*",
                "apigateway:GET",
                "ecs:List*",
                "cloudfront:List*",
                "ses:Get*",
                "sqs:ListQueues",
                "elasticfilesystem:Describe*",
                "sns:GetTopicAttributes",
                "lambda:List*",
                "lambda:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "ecs:Describe*",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "elasticache:Describe*",
                "sns:List*",
                "ec2:Describe*",
                "rds:ListTagsForResource",
                "kafka:ListNodes",
                "kafka:ListClusters",
                "redshift:Describe*",
                "workspaces:Describe*",
                "es:Describe*",
                "es:List*",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "kinesis:List*",
                "kinesis:Describe*",
                "wafv2:ListWebACLs",
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListTagsForResource",
                "ds:DescribeDirectories",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "appsync:ListGraphqlApis",
                "appsync:ListDataSources"
            ],
            "Resource": "*"
        }
    ]
}

Credit card data handling

We don't use our servers for sending or storing credit card data.

For billing and invoicing purposes we use Chargbee which is PCI DSS Level 1 certified service provider. You can verify it here with more details

Credit card data is stored in payment processor called Stripe. Stripe is a validated PCI DSS Level 1 compliant service provider. You can verify it here with more details

Found security bug?

Please send us email to security@cloudviz.io and we will start to work on this right away