ZERO WRITE PERMISSIONS

Read-only. Always.
Here's the proof.

CostPatrol connects via a CloudFormation-deployed IAM role with zero write permissions. We observe and report. We never modify your infrastructure. Below is every permission we request and why.

How we connect

Three steps. Zero credentials stored.

01

You deploy a CloudFormation template

One-click deployment in your AWS account. Creates a read-only IAM role with an external ID unique to your account. No agents, no long-term credentials.

Takes under 2 minutes
02

CostPatrol assumes the role temporarily

1-hour STS session tokens. No stored credentials. External ID prevents confused deputy attacks.

MaxSessionDuration: 3600 seconds
03

We scan and report. That's it.

Read-only API calls to describe and list resources. Results packaged as savings actions and delivered to Slack.

No state changes. Ever.
Full transparency

Every permission we request

These are the exact IAM actions in our CloudFormation template. Nothing more. Nothing hidden.

Service Permission Why We Need It
Cost Explorer ce:GetCostAndUsage Pull daily cost data, forecast trends, analyze by service and tag
ce:GetCostForecast
ce:GetDimensionValues
ce:GetTags
ce:GetReservationUtilization
ce:GetSavingsPlansUtilization
CloudWatch cloudwatch:GetMetricData Measure CPU, memory, throughput to detect idle and oversized resources
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
CloudWatch Logs logs:DescribeLogGroups Audit log retention settings and data volume for cost optimization
logs:DescribeLogStreams
logs:StartQuery
logs:GetQueryResults
EC2 ec2:DescribeInstances Inventory instances, volumes, NAT gateways, Elastic IPs, and snapshots for waste detection
ec2:DescribeVolumes
ec2:DescribeFastSnapshotRestores
ec2:DescribeNatGateways
ec2:DescribeVpcEndpoints
ec2:DescribeVpcs
ec2:DescribeAddresses
ec2:DescribeSnapshots
Lambda lambda:ListFunctions Check architecture (ARM64 vs x86), memory allocation, runtime version
lambda:GetFunction
RDS rds:DescribeDBInstances Find idle databases, cluster sprawl, and reserved instance utilization
rds:DescribeDBSnapshots
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeReservedDBInstances
DynamoDB dynamodb:ListTables Audit capacity mode, TTL settings, backup config, and usage patterns
dynamodb:DescribeTable
dynamodb:DescribeTimeToLive
dynamodb:DescribeContinuousBackups
dynamodb:ListTagsOfResource
S3 s3:ListAllMyBuckets Check lifecycle rules, versioning, and storage class optimization
s3:GetBucketLocation
s3:GetBucketVersioning
s3:GetLifecycleConfiguration
s3:GetBucketTagging
ELB elasticloadbalancing:DescribeLoadBalancers Find idle or unused load balancers
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
ECS ecs:ListClusters Inventory ECS services for capacity analysis
ecs:DescribeClusters
ecs:ListServices
ecs:DescribeServices
SageMaker sagemaker:ListNotebookInstances Find idle notebook instances and endpoints
sagemaker:DescribeNotebookInstance
sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
ElastiCache elasticache:DescribeCacheClusters Audit cache clusters and reserved node utilization
elasticache:DescribeReplicationGroups
elasticache:DescribeReservedCacheNodes
Organizations organizations:DescribeOrganization Detect org membership for multi-account discovery
IAM iam:ListAccountAliases Get account alias for environment classification (prod/staging)
Explicit boundaries

What we CANNOT do

Our IAM policy contains only Describe, Get, and List actions. The following operations are impossible with our permissions.

  • Create, modify, or delete any AWS resource
  • Access S3 object contents or log data contents
  • Modify IAM roles, policies, or permissions
  • Access secrets, parameters, or credentials in your account
  • Make any API call that changes state
Infrastructure security

Data protection

Every layer of our stack is designed with defense in depth. Here is how we protect the data we collect.

Encryption in transit

All traffic encrypted with TLS 1.2+ (TLS 1.3 preferred). No plaintext connections accepted.

Encryption at rest

Data at rest encrypted with AES-256. DynamoDB server-side encryption enabled on all tables.

Multi-tenant isolation

Composite DynamoDB keys ensure strict tenant isolation. No customer can access another customer's data.

Security headers

HSTS headers enforced. CORS restricted to costpatrol.io. Content Security Policy applied.

WAF protection

AWS WAF active with rate limiting, SQL injection, and XSS protection rules.

Short-lived credentials

1-hour STS session tokens only. No long-term AWS credentials stored anywhere in our infrastructure.

Compliance

Standards and certifications

SOC 2 Type II

In progress — target Month 12

Working toward SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.

GDPR

Data processing agreement available

Data processing agreement available on request. We process only infrastructure metadata, not personal data.

Data retention

Configurable per account

Retention is configurable. All data deleted on account disconnection. No data held after offboarding.

Audit logging

2-year retention, immutable storage

All access and operations logged with 2-year retention in immutable storage for forensic analysis.

See exactly what we deploy. Then start your free scan.

Review the CloudFormation template yourself. Every permission is documented above. Read-only access, deployed in your account, under your control.

Start your free scan