Wiv AWS Connectivity Architecture
Modified on Wed, 28 Jan at 12:15 PM
1Real-Time Data Access and Security Framework
Wiv Technical Operations
January 19, 2026 Overview
Wiv is a high-performance FinOps platform built for real-time identification of cost-saving opportunities and anomalies. By securely integrating a Cross-Account IAM Role and AWS EventBridge, Wiv delivers a unique combination of deep visibility and instant responsiveness. This document details the security architecture and outlines the complete data scopes required to achieve maximum optimization.The Security Handshake & Guarantees
All connectivity strictly follows AWS best practices for third-party SaaS integration, ensuring maximum security and trust.
Key Security Guarantees:
Metadata Focused: Operations concentrate on metadata scans to efficiently identify optimization opportunities.
Real-Time Intelligence: Wiv utilizes EventBridge for instant reaction to account changes, eliminating the delay of waiting for daily billing updates.
Encryption & Isolation: All sensitive connection metadata is stored exclusively within your account's Secrets Manager and is never retained on Wiv's side.
No Customer Data Access: Wiv is architected to prevent access to PII, database records, or application-level data.
Security Aspect | Detail |
Metadata Focused | Operations primarily use metadata scans to pinpoint optimization opportunities. |
Real-Time Intelligence | Wiv uses EventBridge to react instantly to account changes, eliminating the wait for daily billing updates. |
Encryption & Isolation | All sensitive connection metadata is securely stored within your account’s Secrets Manager and is never persisted on Wiv’s side. |
No Customer Data Access | Wiv is explicitly prevented from accessing PII, database records, or application-level data. |
Visual Architecture Flow
Wiv's Event-Driven FinOps: Real-Time Value and Permission Framework
The Strategic Value of Real-Time Triggers (AWS EventBridge)
Wiv's core architecture leverages Event-Driven Responsiveness, distinguishing it from traditional FinOps tools that rely on slow, periodic polling. This design enables Wiv to capture infrastructure changes instantly as they happen.
Why Real-Time is Essential: Delays, such as waiting 24 hours for a billing report, can result in thousands of dollars in wasted spending due to misconfigured, expensive resources. Real-time triggers allow Wiv to immediately identify, alert on, and prevent these costly anomalies.
Mechanism: Wiv uses AWS EventBridge Rules, configuring them to "listen" for specific lifecycle events that impact cost (e.g., changes in EC2 state, creation of a new RDS instance, or activation of Billing Alarms).
Secure Data Flow: When an EventBridge rule is triggered, it securely invokes an API Destination. This pushes the necessary metadata to Wiv’s backend for immediate processing.
Permission Matrix: Detailed Overview
The comprehensive table below details all API actions granted to the WivAccessRole, categorized by functional domain. These permissions are primarily read-only, supporting deep analytical capabilities.
Service Domain | Allowed API Actions |
FinOps & Billing | ce:Get*, ce:List*, ce:Describe*, ce:CreateAnomalySubscription, cur:Get*, billing:Get*, consolidatedbilling:Get*, consolidatedbilling:List*, invoicing:List*, payments:Get*, payments:List*, tax:Get*, tax:List* |
Compute & EC2 | ec2:Describe*, ebs:List*, autoscaling:Describe*, compute-optimizer:Get*, compute-optimizer:Describe*, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs, lambda:ListTags |
Databases | rds:Describe*, rds:List*, dynamodb:Describe*, dynamodb:ListTables, dynamodb:ListTagsOfResource, elasticache:Describe*, elasticache:List*, redshift:Describe* |
Storage & S3 | s3:Describe*, s3:List*, s3:GetAccelerateConfiguration, s3:GetBucketVersioning, s3:GetLifecycleConfiguration, backup:List*, fsx:Describe*, fsx:List*, elasticfilesystem:Describe*, elasticfilesystem:List* |
Containers (K8s) | eks:DescribeCluster, eks:List*, ecs:Describe*, ecs:List*, ecr:Describe*, ecr:List* |
Networking & CDN | cloudfront:Get*, cloudfront:List*, elasticloadbalancing:Describe*, route53:ListHostedZones, route53:ListHostedZonesByName, route53:ListResourceRecordSets |
Modern Stack & AI | athena:StartQueryExecution, athena:GetQueryResults, glue:*, sagemaker:List*, sagemaker:Describe*, bedrock:InvokeModel, kafka:Describe*, kafka:List*, es:Describe*, es:List* |
Governance & IAM | cloudtrail:Describe*, cloudtrail:Get*, cloudtrail:List*, cloudtrail:LookupEvents, config:Describe*, config:Get*, config:List*, iam:ListAccountAliases, organizations:DescribeOrganization, organizations:ListAccounts |
Optimization Checks | trustedadvisor:Describe*, trustedadvisor:Get*, trustedadvisor:List*, trustedadvisor:RefreshCheck, trustedadvisor:GenerateReport, support:Describe*, support:DescribeTrustedAdvisorChecks, support:RefreshTrustedAdvisorCheck, savingsplans:DescribeSavingsPlansOfferings |
Automation (Write) | events:PutRule, events:PutTargets, events:CreateApiDestination, events:CreateConnection, events:InvokeApiDestination, events:DeleteRule, secretsmanager:*, iam:PassRole, iam:PutRolePolicy, iam:CreateServiceLinkedRole |
Deep-Dive: Necessary Automation and Write Permissions
To facilitate the real-time, event-driven workflows, Wiv requires a precise and surgical set of "Write" permissions. These actions are strictly limited to managing the necessary Wiv-related infrastructure within your account for secure, real-time data integration.
Permission | Purpose |
events:PutRule | Creates EventBridge rules to listen for specific, cost-impacting resource changes and lifecycle events in real-time. |
events:PutTargets | Links the newly created rules to Wiv’s API endpoints, ensuring event data is correctly routed to our platform upon trigger. |
events:CreateApiDestination | Establishes a secure HTTPS gateway within your environment, used to transmit metadata events back to the Wiv engine for immediate analysis. |
secretsmanager:CreateSecret | Used by Wiv to store sensitive API tokens required for EventBridge connections within your AWS Secrets Manager, ensuring credentials remain encrypted and within your security boundary. |
iam:PassRole | Allows the EventBridge service to securely utilize the permissions defined in the WivAccessRole when executing its triggers and delivering data. |
iam:PutRolePolicy | Enables Wiv to update its internal automation policies (e.g., as new AWS services or optimization triggers are introduced) without requiring manual administrative overhead. |
Conclusion
The Wiv connectivity framework is engineered for maximum safety and transparency. By combining a broad set of read-only analytics with focused, real-time event integration, Wiv delivers a proactive FinOps strategy that catches waste before it can accumulate. Critically, every write permission is directly tied to the security and essential data delivery of your account's metadata.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article