Quadzig is an infrastructure visualization platform and as such, requires access to your infrastructure data. We understand that such data is highly sensitive and take a number of measures to make sure that we offer our services in the most secure way possible.
Below you will find information about the scope of the data we collect and it's lifecycle within our system. We also outline the security policies in place to protect your data.
For the rest of the document, wherever "Data" or "data" is mentioned, we are explicitly referring to your AWS infrastructure related data that is used to visualize your infrastructure.
Quadzig uses the AWS recommended way of Cross Account IAM role to securely discover resources in your AWS Infrastructure. We DO NOT support provisioning access through AWS Access & Secret Keys which are difficult to secure and rotate.
In addition, we also use an External ID to solve the confused deputy problem. This ensures that there is no accidental disclosure of data between Quadzig customers.
Quadzig currently requests the following set of IAM permissions to discover your infrastructure.
autoscaling:DescribeAutoScalingGroups cloudtrail:DescribeTrails cloudwatch:GetMetricData ec2:DescribeAddresses ec2:DescribeClientVpnConnections ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnRoutes ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSecurityGroups ec2:DescribeSpotFleetInstances ec2:DescribeSpotFleetRequests ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGateways ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeServices ecs:ListClusters ecs:ListContainerInstances ecs:ListServices ecs:ListTagsForResource eks:DescribeNodegroup eks:ListClusters eks:ListNodegroups elasticache:DescribeCacheClusters elasticache:DescribeCacheSecurityGroups elasticache:DescribeCacheSubnetGroups elasticache:DescribeGlobalReplicationGroups elasticache:DescribeReplicationGroups elasticache:ListTagsForResource elasticfilesystem:DescribeFileSystems elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancerPolicyTypes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags es:DescribeElasticsearchDomains kafka:ListClusters lambda:ListFunctions rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBSubnetGroups rds:ListTagsForResource redshift:DescribeClusters
We explicitly make sure that we do not request access to resources like ECS Task Definitions or EC2 Launch templates so that no application data is accidentally accessed. Below are the reasons for not accessing these resources.
In both the cases, Quadzig errs on the side of caution and makes sure that the IAM role we provision does not request read access to these resources.
We will keep the above list updated as we add support for more AWS Resources.
We host our application on AWS and as such, data is stored and transmitted through their systems. Apart from this, Quadzig DOES NOT share your data with any third parties.
Quadzig DOES NOT run any kind of analysis or intelligence gathering algorithms on your data. The only use of your data is to provide you a way to visualize your AWS Infrastructure.
In the future, we may release new features which may require us to run analysis on your data(Cost or Security recommendations for example). In this case, we will communicate this to you in advance and such features will be rolled out such that customers have to explicitly opt-in for those features.
We implement the following controls within the Quadzig application to ensure that your data is not accidentally leaked.
Communication within the application and between application components are encrypted in transit
Any data stored in DB or disks is encrypted at rest with Amazon KMS.
Quadzig only triggers a discovery of your AWS resources in one of the following scenarios.
Quadzig DOES NOT run any kind of background discovery process to periodically gather data about your AWS infrastructure.
The following controls are in place to ensure that your data is well protected within Quadzig organization.
We have a separate channel for users to reach us for security related issues. We will ensure that any security issues raised are addressed promptly.
You can delete your data from the application at any time by removing the AWS Account from Quadzig. This will remove all Infrastructure related data from Quadzig systems.
Some residual data may remain in our DB backups. These are automatically cleared after 30 days.
We are happy to answer any security related queries you may have. Please get in touch with us through firstname.lastname@example.org
If you would like a specific Security feature implemented, we would love to hear from you. Please get in touch with us through email@example.com