CostGuardian And Security

With all things in our interconnected world security is and should be a concern.  CostGuardian take security very seriously, this document gives you an over view of some of the steps we have taken to ensure we keep your account and data secure.

The video below also gives you an overview of how we handle security.


The Costguardian Infrastructure that gives you access to monitor and control your instances is hosted in AWS (Amazon Web Service).  AWS cover 19 geographic locations with 57 availability zones across the global.  The availability zones are grouped by region and consist of a least two which are linked with low latency connections.

As an Amazon client and Partner we take advantage of there Data Center Controls ranging from Secure Designs, Business Continuity, Physical Access, Monitoring and Logging, Surveillance and Detection, Device Management, Operational Support Systems, Infrastructure Maintenance and Governance and Risk.

Full details can be found here: Data Center Controls

CostGuardian utilise multiple availability zones providing full fail-over in the event of an Availability Zone outage.

Amazon have a Shared Responsibility model when it comes security with Amazon being responsible from the physical data-centers up to the hypervisor.

Amazon Shared Responsibility

Amazon also have accreditation's for literally dozens of internationally recognised compliance programs.  The latest list can be found here

Amazon Compliance Programs


In Transit

CostGuardian take data security very serious and always start with the question what is the minimum amount we need.  As you would expect with all technologies in today's interconnected world all our communications between servers and systems are transmitted over https ensuring data is encrypted as it travels around.

Media (At Rest)

The physical media we use at Amazon are all configured to use encrypted media, this ensures that if the media is stolen, lost or misplaced, access to the actual data is not possible.  To ensure this does not happen in the first place Amazon have a strict policy of disposing of faulty hardware media.

 AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.

Data (At Rest)

As previously discussed the actual data we do store is kept to a minimum, data is classified and anything deemed personal or sensitive such as password, email addresses and account numbers are stored in an encrypted format. 


In order for CostGuardian to work it does need to be linked to your AWS account, this is done with roles and policies and again only the minimum is granted.

CostGuardian provide a CloudFormation script in order create the required roles and policies.  Access to the script and instructions on running it can be found at the link below.

Linking Cost Guardian to AWS

The video above gives a narrated walk through of the policy but details are also below.

A role is required that CostGuardian will use an is identified using its ARN (Amazon Resource Name)

Example Role ARN:


Trust Relationship

The role needs a trust relationship with the CostGuardian account and this is created and implements an ExternalId which acts like a password or secret key further securing access.


The policy created consists of two sections.  

If you have any further questions or concerns on security then please contact us at