Introduction

Quadzig is an infrastructure visualization platform and as such, requires access to your infrastructure data. We understand that such data is highly sensitive and take a number of measures to make sure that we offer our services in the most secure way possible.

Below you will find information about the scope of the data we collect and it's lifecycle within our system. We also outline the security policies in place to protect your data.

Terminology

For the rest of the document, wherever "Data" or "data" is mentioned, we are explicitly referring to your AWS infrastructure related data that is used to visualize your infrastructure.

Data Access Method

Quadzig uses the AWS recommended way of Cross Account IAM role to securely discover resources in your AWS Infrastructure. We DO NOT support provisioning access through AWS Access & Secret Keys which are difficult to secure and rotate.

In addition, we also use an External ID to solve the confused deputy problem. This ensures that there is no accidental disclosure of data between Quadzig customers.

Scope of Data Access

Quadzig currently requests the following set of IAM permissions to discover your infrastructure.


autoscaling:DescribeAutoScalingGroups
cloudtrail:DescribeTrails
cloudwatch:GetMetricData
ec2:DescribeAddresses
ec2:DescribeClientVpnConnections
ec2:DescribeClientVpnEndpoints
ec2:DescribeClientVpnRoutes
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSecurityGroups
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequests
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeTransitGatewayAttachments
ec2:DescribeTransitGatewayPeeringAttachments
ec2:DescribeTransitGatewayRouteTables
ec2:DescribeTransitGateways
ec2:DescribeTransitGatewayVpcAttachments
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ecs:DescribeClusters
ecs:DescribeContainerInstances
ecs:DescribeServices
ecs:ListClusters
ecs:ListContainerInstances
ecs:ListServices
ecs:ListTagsForResource
eks:DescribeNodegroup
eks:ListClusters
eks:ListNodegroups
elasticache:DescribeCacheClusters
elasticache:DescribeCacheSecurityGroups
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeGlobalReplicationGroups
elasticache:DescribeReplicationGroups
elasticache:ListTagsForResource
elasticfilesystem:DescribeFileSystems
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
es:DescribeElasticsearchDomains
kafka:ListClusters
lambda:ListFunctions
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBSubnetGroups
rds:ListTagsForResource
redshift:DescribeClusters
                        

We explicitly make sure that we do not request access to resources like ECS Task Definitions or EC2 Launch templates so that no application data is accidentally accessed. Below are the reasons for not accessing these resources.

  1. Task Definitions might have sensitive or application related data in environment variables.
  2. EC2 Launch Templates/Launch Configuration might have sensitive or application related data in user data scripts.

In both the cases, Quadzig errs on the side of caution and makes sure that the IAM role we provision does not request read access to these resources.

We will keep the above list updated as we add support for more AWS Resources.

Sharing of Data with Third Parties

We host our application on AWS and as such, data is stored and transmitted through their systems. Apart from this, Quadzig DOES NOT share your data with any third parties.

Scope of Data Usage

Quadzig DOES NOT run any kind of analysis or intelligence gathering algorithms on your data. The only use of your data is to provide you a way to visualize your AWS Infrastructure.

In the future, we may release new features which may require us to run analysis on your data(Cost or Security recommendations for example). In this case, we will communicate this to you in advance and such features will be rolled out such that customers have to explicitly opt-in for those features.

Data Guard Rails

We implement the following controls within the Quadzig application to ensure that your data is not accidentally leaked.

  1. All application logs explicitly filter out any sensitive information.
  2. We delete our DB backups after 30 days of creation to ensure that old backups do not accumulate sensitive data.
  3. Visualization images shared through email are sent as URLs/Links which automatically expire after 24 hours.
  4. Visualization images that are generated for sharing through email are automatically deleted after 24 hours from our systems.

Data Encryption

Communication within the application and between application components are encrypted in transit

Any data stored in DB or disks is encrypted at rest with Amazon KMS.

Data Access Triggers

Quadzig only triggers a discovery of your AWS resources in one of the following scenarios.

  1. When you first add an AWS Account by provisioning a Cloudformation Stack.
  2. When you request a sync of your infrastructure changes from the visualization dashboard.

Quadzig DOES NOT run any kind of background discovery process to periodically gather data about your AWS infrastructure.

Data Protection within the Organization

The following controls are in place to ensure that your data is well protected within Quadzig organization.

  1. Production access is restricted to specific staff members.
  2. In the rare case where staff members have to access your data to solve a support issue or to solve a technical issue, we will ensure that the data is accessed in a minimal fashion.

Security Issues & CVEs

We have a separate channel for users to reach us for security related issues. We will ensure that any security issues raised are addressed promptly.

Deletion of Data

You can delete your data from the application at any time by removing the AWS Account from Quadzig. This will remove all Infrastructure related data from Quadzig systems.

Some residual data may remain in our DB backups. These are automatically cleared after 30 days.

Further Questions?

We are happy to answer any security related queries you may have. Please get in touch with us through support@quadzig.io

Security Feature Request

If you would like a specific Security feature implemented, we would love to hear from you. Please get in touch with us through support@quadzig.io