You have connected your AWS accounts in CloudFix and want to know the data that is stored and transmitted by CloudFix.
The CloudFix Finder IAM role collects three types of data:
- A Config snapshot of all resources is stored in your account.
- This is done by creating an AWS Config delivery channel in your account or by using the existing delivery channel.
- CloudFix only has permissions to read that snapshot and get SNS notifications when resources are added or removed.
- Cost & Usage Reports are read by CloudFix in order to analyze costs and create savings estimates.
- CloudWatch metrics are used to collect usage data. You can see the APIs called by CloudFix using CloudTrail.
CloudFix does not have permissions to read actual user data. Eg: CloudFix can read metrics about your AWS bucket to see how much they cost but it cannot access any of the data in the bucket.
The CloudFix Permission Model article provides information on how this strict permission boundaries are maintained and hence, allows you control of what CloudFix Fixers can do.