Skip to content

Latest commit

 

History

History
53 lines (37 loc) · 4.79 KB

security.mdx

File metadata and controls

53 lines (37 loc) · 4.79 KB
title description
Security
As an infrastructure tool that requires access to your cloud provider, we understand there may be questions, concerns, and necessary clarification around our infrastructure, processes, and procedures. We, as developers at Vantage, are also customers of Vantage, which more closely aligns our security concerns with those of our customers.

Read-Only Billing Access

Vantage uses read-only service accounts, service roles, API keys, and other read-only means to access billing data across all the integrations we use. This means we don't store sensitive information, like account access keys and access key secrets, to use Vantage. Should you have any other questions, please feel free to email us at [email protected].

Cross-Account IAM Roles on AWS

Vantage uses a Cross-Account IAM Role to sync information about your infrastructure resources. This method is the AWS-recommended approach. When you grant Vantage access to your account by running the provided CloudFormation stack, the stack creates a cross-account role with in-line policies selected by Vantage. These policies are a trimmed-down version of the policies in the AWS-managed ReadOnlyAccess policy, but we've removed actions that would otherwise allow us to access sensitive information in databases, buckets, and certain services. Our CloudFormation template is open source and hosted publicly for transparency.

Customizing Cross-Account Role Permissions

Vantage requests various in-line read-only permissions when creating the cross-account role on your behalf; however, we understand this can be too broad of a permission set for certain use cases. As a result, we do allow you to create Cross-Account IAM roles with whatever permissions you're comfortable with. However, keep in mind that narrowing the scope of the role's permissions will limit certain functionality in Vantage.

If you email [email protected] in advance, we can facilitate provisioning your account with a custom role. Please note that we will provide you with some custom attributes to associate with your Cross-Account IAM Role to prevent the "confused deputy" problem. As a result, you will need to contact Vantage support before you create the role.

Data Revocation

In the account Settings section, you can revoke the Cross-Account IAM Role at any time. Automatically and nearly instantly, Vantage will delete all data associated with that Cross-Account IAM Role. Note that the deletion doesn't remove the set of custom Vantage views you've created; however, these views will be empty, as there are no longer any resources.

In the account Settings section, you also can delete your account. Once you delete your account, all data is deleted as well.

Data Sharing

We do not share any data externally. We do not sell or share any user data with any third parties.

Frequently Asked Questions

<Accordion title="Does Vantage periodically perform penetration tests?"

Yes. Vantage has outsourced penetration tests to a third party that regularly performs these tests.
Yes. Vantage is SOC 2 Type 2 certified. To request a copy of our report, visit the [Vantage Security Page](https://vantage.sh/security). We believe that we already roughly adhere to the standards outlined in ISO 27001. Vantage receives reports via [[email protected]](mailto:[email protected]). We review every single report that we receive. We do not have a formal bug bounty program, but we do have a process as well as a set of policies and standards we follow to process security requests. Yes. We support [SAML SSO](/sso), and 2FA is on the roadmap.