DAY2™ believes and ensures Least privileged permission model across our platform operations. Our aim is to ensure that our customers are in full control of what permissions that they give out and keep our access granular to the scope of every operation.
In DAY2™, we create specific roles with the least permissions to perform the tasks on your behalf and nothing more. The IAM roles in your AWS Account are attached with the least permissions that it requires and also, with AWS Managed policies which are recommended by AWS.
We create IAM roles to perform actions in each of the following features. These roles are created in your AWS Account and only if you've opted in to perform the operation, and only with your consent.
The AWS services used by our features are explained below
- Core Platform (Onboarding & Continuous Discovery)
CloudWatch Events, S3, CloudTrail, Resource Groups + Tagging - Server Management
Systems Manager (Automation, Run Command, State manager, Patch policy, Resource data sync, Session manager), S3, AMI, EC2 - Blueprints
CloudFormation, SSM(Automation), other resources and services vary based on the blueprint that is being launched. - Application Management
Cloudwatch alarm, S3, Cloudformation, SSM(Automation) - Security Bot
Security Hub, Fargate, SSM( Parameter store, Automation), Cloudformation, Cloudwatch events, SNS - Compliance Bot
AWS Config, SSM( Parameter store, Automation), Cloudwatch events, SNS - Desired Account State
Cloudformation, SSM(Automation), S3, SNS, AWS Budget, CloudTrail, AWS Config, IAM, Lambda, Cloudwatch, Trusted Advisor, Security Hub - Desired Region State
Cloudformation, SSM(Automation), S3, SNS, AWS Config, AWS Gaurd duty, Lambda, Cloudwatch, VPC, Internet Gateway, Elastic IP, NatGateway, Trusted Advisor, Security Hub, IAM Access Analyzer
For granular details of IAM permissions for each of these areas, contact us on support@montycloud.com.