If you are unable to use our SaaS offering due to strict compliance requirements, we highly recommend that you use Quadzig through AWS Marketplace. With our AWS Marketplace offering, the application is hosted in an EC2 Instance that you control and you have full administrative control over the Instance. You can secure this instance with security controls as per your orgnization's requirements.
Go to AWS MarketplaceQuadzig is an infrastructure visualization platform and as such, requires access to your infrastructure data. We understand that such data is highly sensitive and take a number of measures to make sure that we offer our services in the most secure way possible.
Below you will find information about the scope of the data we collect and it's lifecycle within our system. We also outline the security policies in place to protect your data.
For the rest of the document, wherever "Data" or "data" is mentioned, we are explicitly referring to your AWS infrastructure related data that is used to visualize your infrastructure.
Quadzig uses the AWS recommended way of Cross Account IAM role to securely discover resources in your AWS Infrastructure. We DO NOT support provisioning access through AWS Access & Secret Keys which are difficult to secure and rotate.
In addition, we also use an External ID to solve the confused deputy problem. This ensures that there is no accidental disclosure of data between Quadzig customers.
Quadzig currently requests the following set of IAM permissions to discover your infrastructure.
autoscaling:DescribeAutoScalingGroups
cloudtrail:DescribeTrails
cloudwatch:GetMetricData
ec2:DescribeAddresses
ec2:DescribeClientVpnConnections
ec2:DescribeClientVpnEndpoints
ec2:DescribeClientVpnRoutes
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSecurityGroups
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequests
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeTransitGatewayAttachments
ec2:DescribeTransitGatewayPeeringAttachments
ec2:DescribeTransitGatewayRouteTables
ec2:DescribeTransitGateways
ec2:DescribeTransitGatewayVpcAttachments
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ecs:DescribeClusters
ecs:DescribeContainerInstances
ecs:DescribeServices
ecs:ListClusters
ecs:ListContainerInstances
ecs:ListServices
ecs:ListTagsForResource
eks:DescribeNodegroup
eks:ListClusters
eks:ListNodegroups
elasticache:DescribeCacheClusters
elasticache:DescribeCacheSecurityGroups
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeGlobalReplicationGroups
elasticache:DescribeReplicationGroups
elasticache:ListTagsForResource
elasticfilesystem:DescribeFileSystems
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
es:DescribeElasticsearchDomains
kafka:ListClusters
lambda:ListFunctions
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBSubnetGroups
rds:ListTagsForResource
redshift:DescribeClusters
We explicitly make sure that we do not request access to resources like ECS Task Definitions or EC2 Launch templates so that no application data is accidentally accessed. Below are the reasons for not accessing these resources.
In both the cases, Quadzig errs on the side of caution and makes sure that the IAM role we provision does not request read access to these resources.
We will keep the above list updated as we add support for more AWS Resources.
We host our application on AWS and as such, data is stored and transmitted through their systems. Apart from this, Quadzig DOES NOT share your data with any third parties.
Quadzig DOES NOT run any kind of analysis or intelligence gathering algorithms on your data. The only use of your data is to provide you a way to visualize your AWS Infrastructure.
In the future, we may release new features which may require us to run analysis on your data(Cost or Security recommendations for example). In this case, we will communicate this to you in advance and such features will be rolled out such that customers have to explicitly opt-in for those features.
We implement the following controls within the Quadzig application to ensure that your data is not accidentally leaked.
Communication within the application and between application components are encrypted in transit
Any data stored in DB or disks is encrypted at rest with Amazon KMS.
Quadzig only triggers a discovery of your AWS resources in one of the following scenarios.
Quadzig DOES NOT run any kind of background discovery process to periodically gather data about your AWS infrastructure.
The following controls are in place to ensure that your data is well protected within Quadzig organization.
We have a separate channel for users to reach us for security related issues. We will ensure that any security issues raised are addressed promptly.
You can delete your data from the application at any time by removing the AWS Account from Quadzig. This will remove all Infrastructure related data from Quadzig systems.
Some residual data may remain in our DB backups. These are automatically cleared after 30 days.
We are happy to answer any security related queries you may have. Please get in touch with us through support@quadzig.io
If you would like a specific Security feature implemented, we would love to hear from you. Please get in touch with us through support@quadzig.io