IAM Permission Roles & Least Privilege
North uses limited IAM roles whenever possible to ensure that we cannot view critical machine data, edit machines, create/pause/stop instances or make any networking changes. We regularly hire third-party SecOps consulting to audit our risk exposure and ensure client security.
North SOC II Compliance
North as of May 2024, has passed their SOC II Type I Audit. More info can be requested, including the full compliance & audit report by reaching out to North directly.
North Savings Pods
North uses member accounts to deploy and manage savings plans & reserved instances in your AWS billing group. This approach enables customers to maintain their own billing account and AWS Organization. This also enables customers to maintain maximum security & limit exposure to 3rd party security events. While maintaining your own organization, you (the customer) are never subject to a reseller or 3rd party's Security Control Policies, or the SCPs of any sub-processors, employees or bad actors that may gain control of SCP administration in the billing org. This also allows the customer to retain full control of disconnecting the North service, and any North AWS accounts from the billing org at any moment for security or business purposes.
Service control policy documentation:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_email&ref_=pe_2547550_191713980
What are AWS organizations & management accounts? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html?icmpid=docs_orgs_email&ref_=pe_2547550_191713980
Disconnecting North Savings Pods From Billing Org
Please note that all disconnecting of North savings pods, or cancelation of service is governed by the MSA agreed upon between the client & North.
To remove an AWS account from your organization (including North's Savings Pods) follow the below steps:
Sign into AWS management console for the biller/payer account.
Go to AWS Organizations.
Navigate to Accounts section.
Select account(s) to remove from org.
What access do these accounts hold in our AWS organization?
The savings pods hold no cross account access of any kind to the other accounts in your AWS organization. The only IAM permission in the account is a billing read only permission for the account to "phone home" back to North. This allows North to read net savings & utilization health data from the savings pod, to best administer them to your AWS organizaiton.
How are these savings pods secured?
While we can't share our full SecOps posture publicly we can say the following. Savings pods are secured at the root layer by using a password encyption software & MFA. No other IAM permissions are created for them, so no other access can be granted. North also monitors any access, or spend in these accounts. These essentially act as "dark sites" with no live usage activity other than the savings plans.
What happens to the costs of the Pods if they leave our org?
All accounts are created as North AWS accounts first, with our default payment method. Upon leaving your organization the payment for any hourly costs are billed to the base payment method of the AWS account. This is standard in AWS. If a standalone account leaves an organization, the base payment method takes over. More at the link below. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html