Cloud Conformity’s data access requirements are determined at an Account level by the product subscriptions enabled for each account.
|Security||Base||AWS Custom Policy|
|Real-time monitoring||Add-on||Real-Time Threat Monitoring settings|
|Cost Optimisation||Add-on||Access AWS Cost Billing Bucket|
The Conformity Bot can ingest data from all but 3 AWS supported regions.
Last updated 21 Oct 2019
Cloud Conformity takes the security of its customers seriously and is currently preparing for SOC 2. We will complete our SOC 2 gap assessment in November 2019 and be in a position to advise completion shortly afterward. Our application is built on AWS, complies with AWS best practices and runs on AWS services that are accredited for SOC 1, 2 and 3 and ISO 27001:2013. Additionally, we have a formal bug bounty program in place with BugCrowd.
How does Cloud Conformity access my AWS account?
Cloud Conformity uses a AWS Custom Policy to view your AWS account metadata - there is no read or write access to your data.
What data does Cloud Conformity capture and how is it stored?
Cloud Conformity only accesses the metadata associated with your AWS infrastructure. For example, we recognize that your AWS account has twelve S3 buckets and twenty EC2 instances, however, we cannot see the data/applications associated with these resources.
We retain metadata for active accounts for a 12-month period after which it is automatically deleted. For events, you can query logs to view the last 500 events via UI and 1200 via API. If you choose to deactivate an account, all your data is automatically deleted at the time of deactivation.
Does anyone at Cloud Conformity look at this data?
No, Cloud Conformity staff don’t have access to view your dashboard or account information. Authorized members of our technical team have limited access to view metadata associated with your accounts, for example, the number of compliance checks performed. However, our staff cannot see the specific violations associated with your AWS account.
We understand that the infrastructure configurations (metadata) could be considered sensitive and we have several layers of security in place to ensure that this metadata is captured, stored and accessed securely.
Customer metadata is encrypted at all touchpoints in our AWS infrastructure. From data collection, using signed requests and the AWS Security Token Service (STS), to the use of encryption at rest using the AWS Key Management Service. All internal staff must comply with our strong password policies and have MFA enabled. All access to Cloud Conformity infrastructure is monitored and access levels are reviewed on a regular basis, with the principle of least privilege enforced. Only senior Cloud Conformity engineers have access to production systems.
It’s important to note that Cloud Conformity staff do not have access to the customer’s Cloud Conformity account unless the customer chooses to grant their Technical Account Manager read-only access - which is at the discretion of the customer.