Skip to main content

Security and compliance

What is Flexsave?

Flexsave evaluates AWS billing data and usage to identify and enable opportunities for savings for on-demand compute instances which are not covered by Reserved Instances (RI) or Savings Plans (SP).

What security and compliance policies are Flexsave governed by?

DoiT operates on the highest level of industry security standards, and Flexsave specifically is covered by the following security and compliance certifications:

  • ISO27001
  • SOC 2 Type II
  • SOC 3
  • GDPR

For a complete breakdown of compliance certifications and further information, please visit

What permissions are required for Flexsave to work?

Getting started with Flexsave involves two stages with different permission levels:

  1. Generate Savings Estimate

    To get recommendations for what Savings Plans we could be attaching to your account, DoiT International requires use of the GetSavingsPlansPurchaseRecommendation AWS Cost Explorer action.

  2. Enablement

    To turn on Flexsave, a new customer will create a policy which allows DoiT to share Savings Plans with the customer organization in AWS. This step allows for automated compute savings. This policy gives DoiT permissions to:

    • Use of the GetCostAndUsage AWS Cost Explorer action

    • View and download the contents of the S3 Bucket in which the CUR is kept

    • View information about existing RIs and SPs

    • Invite DoiT-controlled accounts to the organization, from which DoiT can share its inventory of Savings Plans. These accounts have no running resources and do not impact your existing accounts.

      Note: the ability to invite new accounts is the only area in which DoiT has edit access (as opposed to view or get access).

What information does DoiT have access to at the different stages?

In the Savings Forecast stage, DoiT has view-only access to the data in the Cost Explorer API.

After Onboarding and Enablement, DoiT will be able to see what is available in the CUR:

  • Zones and regions where instances are being run
  • Operating systems supported
  • Virtual machine types
  • Objects in the bucket where the CUR is stored
  • Current discount mechanisms and their expirations

In order to make specific optimization decisions in real time, DoiT will also require additional read-only access to details about a customer's RIs and SPs (beyond what's listed in the billing information).

What information does DoiT NOT have access to?

At no point during either stage will DoiT have access to sensitive customer information, including:

  • The entire AWS environment configuration
  • Personally Identifiable Information (PII)
  • IP addresses
  • Metadata
  • Network configs, instances or peering information
  • Security parameters, groups or keys

DoiT will also never have the ability to create or run new resources, or edit any existing instances.

How long does DoiT's access last?

Access for the Savings Forecast need only last as long as it takes DoiT to generate and share the forecast with the customer. If you choose not to move forward, it can be disabled at any time.

Should you decide to become a customer, DoiT will have ongoing access to the following for as long as you remain a user of Flexsave:

  • Zones and regions where instances are being run
  • Operating systems supported
  • Virtual machine types
  • Objects in the bucket where the CUR is stored

Please note that since these permissions are granted by the customer, any customer can disable these permissions by turning off Flexsave:

  1. Raise a support ticket with DoiT asking to cancel
  2. DoiT removes its SP inventory from the organization
  3. Customer deletes the CloudFormation stack, which removes DoiT's permissions

Once the above steps are taken, the customer will no longer have access to the savings generated by Flexsave. Note that DoiT requires 30 days notice to cancel the service and complete the above steps.