Security
Introduction to Tide Savings Pods
Tide’s Savings Pods provide a solution for deploying and managing savings plans and reserved instances within your AWS billing group. This approach allows customers to maintain control over their AWS billing accounts and organizations, enhancing security while reducing exposure to third-party risks. By retaining full control over your AWS organisation, you are shielded from the Security Control Policies (SCPs) that might be enforced by resellers, third parties, or unauthorized individuals. Additionally, this structure ensures that you have the ability to disconnect the Tide service and any associated AWS accounts from your billing organization at any time, whether for security or business reasons.
IAM Strategy: Enforcing the Principle of Least Privilege
At Tide, we enforce the principle of least privilege, ensuring that IAM roles are assigned with only the essential permissions required for specific tasks. This strategy limits access to critical operations, preventing unauthorised viewing of sensitive machine data, infrastructure modifications, instance management, or network changes. To maintain a robust security posture, we regularly engage independent SecOps consultants to assess our risk exposure and validate our security practices.
Security Architecture of Tide Savings Pods
Tide’s Savings Pods are fortified with multiple layers of security, including:
Root-Level Protection: Implementing advanced password encryption and multi-factor authentication (MFA) to secure root access.
Minimal IAM Role Assignments: Ensuring no additional IAM roles are created, thereby preventing any unintended access permissions.
Continuous Monitoring: Tide actively monitors account activities to detect and respond to any unauthorized access or unexpected expenses.
These Savings Pods function as isolated environments, dedicated exclusively to managing savings plans without hosting any active workloads.
Integration and Management of Tide Savings Pods
To incorporate Tide’s Savings Pods into your AWS billing organization, refer to the following documentation:
Service Control Policies (SCP) Documentation: AWS SCPs Guide
Understanding AWS Organizations & Management Accounts: AWS Organizations Guide
Managing and Disconnecting Savings Pods
Termination of Tide services, including the removal of Savings Pods, is governed by the Master Services Agreement (MSA) between Tide and the client. To remove an AWS account, including Tide's Savings Pods, from your organization, follow these steps:
Log in to the AWS Management Console using the payer account credentials.
Navigate to AWS Organizations.
Access the Accounts section.
Select the account(s) you wish to remove.
Cost Implications When Disconnecting Pods
Tide provisions all Savings Pod accounts under our AWS master account, with our payment method set as the default. If a Savings Pod is removed from your organization, any ongoing hourly charges will default to the payment method associated with the AWS account itself. This process aligns with AWS’s standard practices, where an account leaving an organization reverts to its base payment method.
For further details, refer to: Removing Accounts from AWS Organizations
Last updated