Skip to main content

Security and Compliance

What permissions does Flexsave require?

Getting started with Flexsave involves two stages with different permission levels:

  1. Generate Savings Estimate

    To get recommendations for what Savings Plans we could be attaching to your account, DoiT International requires the use of the GetSavingsPlansPurchaseRecommendation AWS Cost Explorer action.

  2. Enablement

    To turn on Flexsave, a new customer will create a policy that allows DoiT to share Savings Plans with the customer organization in AWS. This step enables automated compute savings. This policy gives DoiT permissions to:

    • Use of the GetCostAndUsage AWS Cost Explorer action

    • View and download the contents of the S3 bucket in which the CUR is kept

    • View information about existing RIs and SPs

    • Invite DoiT-controlled accounts to the organization, from which DoiT can share its inventory of Savings Plans. These accounts have no running resources and do not impact your existing accounts.

      Note: the ability to invite new accounts is the only area in which DoiT has edit access (as opposed to view or get access).

What information does DoiT have access to at the different stages?

In the Savings Forecast stage, DoiT has view-only access to the data in the Cost Explorer API.

After Onboarding and Enablement, DoiT will be able to see what is available in the CUR:

  • Zones and regions where instances are being run
  • Operating systems supported
  • Virtual machine types
  • Objects in the bucket where the CUR is stored
  • Current discount mechanisms and their expirations

To make specific optimization decisions in real time, DoiT will also require additional read-only access to details about a customer's RIs and SPs (beyond what's listed in the billing information).

What information does DoiT NOT have access to?

At no point during either stage will DoiT have access to sensitive customer information, including:

  • The entire AWS environment configuration
  • Personally Identifiable Information (PII)
  • IP addresses
  • Metadata
  • Network configs, instances or peering information
  • Security parameters, groups or keys

DoiT will also never be able to create or run new resources or edit any existing instances.

How long does DoiT's access last?

Access to the Savings Forecast need only last as long as it takes DoiT to generate and share the forecast with the customer. If you choose not to move forward, it can be disabled anytime.

Should you decide to become a customer, DoiT will have ongoing access to the following for as long as you remain a user of Flexsave:

  • Zones and regions where instances are being run
  • Operating systems supported
  • Virtual machine types
  • Objects in the bucket where the CUR is stored

Please note that since the customer grants these permissions, the customer can disable these permissions by turning off Flexsave:

  1. Raise a support ticket with DoiT, asking to cancel
  2. DoiT removes its SP inventory from the organization
  3. The customer deletes the CloudFormation stack, which removes DoiT's permissions

Once the steps above are complete, the customer will no longer have access to the savings generated by Flexsave.

Note

DoiT requires 30 days' notice to cancel the service and complete the steps above.

What security and compliance policies are Flexsave governed by?

DoiT operates on the highest level of industry security standards, and the following security and compliance certifications explicitly cover Flexsave:

ISO 27001
SOC 2 Type II
SOC 3
GDPR

For a complete breakdown of compliance certifications and further information, please visit the DoiT compliance offerings page.