> For the complete documentation index, see [llms.txt](https://documentation.grax.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.grax.com/platform/connections/platform-connections.md).

# Platform Connections

## What Does GRAX Use the Platform Connection for?

GRAX uses the access granted to your Cloud Platform to manage your deployment of the GRAX Application; This responsibility includes creation, monitoring, and maintenance of the infrastructure. As GRAX launches new features and cloud platforms release new versions of resources, GRAX will apply necessary infrastructure updates and improvements to bring you the most cost effective and secure deployment possible.

The specific resources needed by the GRAX Application varies by Cloud Platform and will change over time as those platforms update their offerings and features are added to the GRAX Application. For example resources, you can review our [Architecture Documentation](/infrastructure/architecture/architecture.md) and suggestions on account auditing are discussed [here](#how-can-i-audit-graxs-cross-account-access).

## What are the benefits of GRAX Managed Deployments?

Compare the security profile and total cost of ownership (TCO) of these two options:

* a system configured and updated with machine-to-machine automation
* a system that requires direct access by many people or teams to set up and update

The former requires 0 people in the process, takes 30 minutes for the initial set up, and is automatically updated with security improvements over the entire lifetime of the system.

The latter can take many people weeks in the initial process to set up and weeks again to find the right people to perform security updates. It adds new risks of many people having access and passwords to systems, making configuration mistakes, and delaying security updates.

Multiply this by every additional system you create to backup additional sandbox and production environments and every security update required over the years of maintaining a system; you'll see that the security profile is significantly higher and the TCO is significantly lower by automating everything.

GRAX maintains isolated accounts with cross-account automation for all "GRAX Cloud" environments, and recommends the same exact security best practices and service to self-managed customers.

## Do you require Administrator (AWS) or Owner (Azure) permissions?

To create and continually manage deployments, GRAX requests a high level of continual access to cloud providers.

Creating resources and automatically updating resources for maintenance, security, and architecture improvements requires a high level of permission. Granting cloud platform managed policies like Administrator and Owner roles are the most straightforward way to guarantee everything works continually and allows GRAX to administer your deployment with minimal and manual intervention by your Operations teams.

But all permissions are ultimately in your control. If you no longer wish GRAX to have access to the Cloud account dedicated to the GRAX Application, the associated roles and principals can be destroyed. However, GRAX cannot manage your deployment by providing support, patching, updates, improvements, or monitoring for infrastructure deployed in Cloud environments that we do not have access to or to which access was prevented for an extended period of time, even if access is restored.

If your security policies don't allow cross-account access or require permissions that are not suitable to create and update GRAX resources, self-managed deployments do not require granting any access to GRAX.

## What are the security implications of GRAX's cross-account access?

At GRAX, information security is job number one. We have designed security into every layer of our product and system management. Cross-account access, combined with fully automated system setup and updates, provides the best security for all our customers and their sensitive data. GRAX uses the following best security practices:

### **Isolation starting at the Account Layer**

Account isolation eliminates the risk of GRAX systems accessing other systems and data and vice-versa. GRAX requires that you run in an isolated account. Our certified templates provide further isolation at the VPC, EC2, database, and storage layers.

### **Automation to setup and manage systems**

Automation eliminates configuration mistakes on first setup and enables fast delivery of updates for critical security improvements.

Automation removes people from the process; people are prone to make configuration mistakes and can be slow to apply security updates. Configuration mistakes and running outdated components are in the [top 10 application security risks](https://owasp.org/www-project-top-ten/).

GRAX utilizes Terraform for the deployment of all infrastructure. The Terraform modules are available on request for review.

### **Password-less IAM roles**

Password-less roles eliminate the risk of leaking credentials and guarantee only authorized machines have access to systems and leave an audit trail.

This eliminates static credentials that can leak and need to be rotated. It improves the ability to audit, where any access to your account other than the GRAX role, and any access to your bucket other than the GRAX Instance role, can trigger security review.

### How can I audit GRAX's cross-account access?

All cross account API calls are logged by AWS to [CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). These logs always include the Role ARN and required Role Session Name, both of which include "GRAX". With the cross-account role, anything other than the GRAX role in CloudTrail logs is suspicious.

You can set up [CloudWatch alarms for CloudTrail events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html) to filter events and send notifications when anything other than the expected roles access your systems.

### How can I update a Platform connection with new credentials?

{% hint style="danger" %}
Before proceeding, confirm that the credentials you are adding to Platform are for the same cloud account and have full access to manage (Create, Update, Destroy) any Cloud resources deployed with the current credentials.
{% endhint %}

1. [Log in](/platform/platform-basics.md#logging-in) to [Platform](https://platform.grax.com/)
2. In the lower left corner, select the team configured with the existing connection
3. Select "Connections" from the left-hand menu
4. Delete the existing connection
   1\.

   ```
   <figure><img src="/files/7WYoZ3TnRhOlnDmjfoPA" alt=""><figcaption></figcaption></figure>
   ```
5. Click the appropriate button to [connect](/platform/platform-basics.md#connecting-a-cloud-account) your cloud account with your new credentials:
   1\.

   ```
   <figure><img src="/files/g35P9qgALX0jugP72WMZ" alt=""><figcaption></figcaption></figure>
   ```

### Can I remove GRAX's cross-account access?

GRAX always leaves you in total control. At any time you can remove the cross-account role with the IAM Delete Role operation. Removal of GRAX's access to manage your applications and infrastructure constitutes a termination of GRAX's responsibility to manage, patch, upgrade, and monitor your deployment. If you remove GRAX's access, you are responsible for the security and maintenance of your deployment as well as all future upgrades. GRAX does not guarantee that a deployment can be restored to a managed state after access has been removed for any period of time.

If GRAX discovers that access has been removed, GRAX will notify the applicable application owners repeatedly over a reasonable period, but has no means to restore access independently.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://documentation.grax.com/platform/connections/platform-connections.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.