What Cloud Capital accesses — and what it does not
Cloud Capital reads your cloud cost and usage data only. We do not access your cloud infrastructure, workloads, customer data, or any resources running in your AWS accounts.| Cloud Capital accesses this | Cloud Capital does not access this | |
|---|---|---|
| AWS Cost and Usage Reports (CUR) | Yes | |
| AWS billing, pricing, and commitment APIs | Yes | |
| AWS Organizations account structure | Yes (read-only) | |
| EC2, RDS, and other resource descriptions | Yes (read-only, for cost mapping) | |
| Running workloads, application code, databases | Never | |
| Customer or end-user data | Never | |
| IAM credentials or secrets | Never |
How AWS access is granted
Cloud Capital connects to your AWS environment using AWS’s standard cross-account IAM role pattern. Both roles are provisioned via CloudFormation templates that Cloud Capital provides — parameters are pre-populated, so no manual configuration is required. For teams that manage infrastructure exclusively through Terraform, Cloud Capital can provide an equivalent Terraform module. Contact your Cloud Capital representative or support@cloudcapital.co to request it. You retain ownership of the role and can revoke access at any time by deleting the CloudFormation stack (or destroying the Terraform resource). Two separate roles are used, each scoped to its function. Full setup instructions, including how to deploy each CloudFormation stack, are in the Integrate AWS Data guide.Forecasting role (all customers)
A read-only role applied to your AWS management or payer account. It grants access to:- Your CUR S3 bucket (scoped to that specific bucket only)
- AWS billing, Cost Explorer, and pricing APIs
- Organization account enumeration
- Resource descriptions (EC2, RDS, ElastiCache, Redshift, OpenSearch) for cost mapping
Optimization role (commitment customers only)
A purchasing role applied exclusively to a dedicated, empty AWS account you create for this purpose — never to your management account or any workload account. See Commitment Proposal & Onboarding for how Cloud Capital uses this access to manage your commitments. It grants access to:- Purchasing Savings Plans and Reserved Instances on your behalf
- Creating service-linked roles required by AWS during first purchase
- Managing service quota increases when needed
Both roles use an ExternalId condition in the trust policy — a system-generated UUID unique to your organization. This means only Cloud Capital’s specific AWS account can assume the role, and only when presenting the correct ExternalId. This prevents confused deputy attacks. You can review the full policy in each CloudFormation template: Forecasting template · Optimization template.
Revoking access
You can revoke either role at any time by deleting the corresponding CloudFormation stack in your AWS console. Access is terminated immediately.Data protection
In transit: All communication between Cloud Capital and AWS is encrypted with TLS. At rest: All data stored in Cloud Capital is encrypted using AWS encryption standards. Retention: Your cost and usage data is stored for the duration of your use of the platform. Upon account deletion, all associated data is deleted within 30 days. You may also request deletion at any time. Third parties: Cloud Capital does not share your cost or usage data with any third party. We use third-party tools for internal purposes (analytics, support, payment processing), but none of those services have access to your cost or usage data.Audit logging
All access to customer data and platform actions are logged. For commitment customers, every commitment decision — including the context and approvals — is recorded in the audit trail. Customers can request logs as part of their compliance requirements.Google Sheets integration
Cloud Capital’s Google Sheets integration lets you import business metrics directly from a spreadsheet into your forecasts. The connection uses Google’s standard OAuth authorization flow. What Cloud Capital can access:- Only the specific files you explicitly share with your organization — not your entire Google Drive
- Each team member who connects their Google account does so independently; their unshared spreadsheets remain private
- All files shared with your organization are listed in Organization Settings → Data Connections → Shared Files, giving you a clear record of what is accessible at all times
- Any shared file can be revoked from that same settings page at any time
- Revoking a file immediately breaks the sync for any metrics currently importing from it