S1Security
How we connect to your cloud, what we can see, and what we do with your data. No marketing — just the technical details.
ec2:Describe*, s3:ListAllMyBuckets, and sts:GetCallerIdentity. Nothing else.We use the industry-standard cross-account AssumeRole pattern. This is the same mechanism used by AWS organizations, Datadog, Prisma Cloud, and every major cloud tool.
You create an IAM role in your account
The role trusts our broker account (590183704419) with a unique External ID tied to your session. This prevents confused deputy attacks.
We assume the role with a 15-minute session
Our broker calls sts:AssumeRole with DurationSeconds=900 (15 minutes). The temporary credentials expire automatically.
We run read-only API calls
Count EC2 instances, list S3 bucket names, verify account identity. We cannot read bucket contents, modify resources, or access any other service.
Session expires, credentials are discarded
After the scan completes, the temporary STS token expires. We do not cache or persist AWS credentials.
| Permission | What it does | What it cannot do |
|---|---|---|
| ec2:Describe* | Count instances, list regions, read instance metadata | Cannot start, stop, terminate, or modify any instance |
| s3:ListAllMyBuckets | Count bucket names | Cannot read, download, delete, or list objects inside any bucket |
| sts:GetCallerIdentity | Verify we are in your account (returns account ID and ARN) | Cannot assume other roles or escalate privileges |
You can verify every API call we make by checking your CloudTrail logs.
Scan results
Instance count, bucket count, region list, risk flags, and generated insights. Stored as JSON attached to your session record. No raw AWS API responses are persisted.
Scan history
Up to 5 previous scan snapshots for trend comparison. Older snapshots are automatically dropped.
IAM Role ARN
The Role ARN and External ID you provided, encrypted at rest using AES-256-GCM. Used to re-assume the role for subsequent scans. Deleted when you disconnect.
What we never store
| Data type | Retention |
|---|---|
| Scan results & insights | While your account is active. Deleted on request. |
| Scan history (comparisons) | Last 5 snapshots. Oldest auto-deleted. |
| Encrypted Role ARN | Until you disconnect. Immediately deleted on disconnect. |
| STS session tokens | Never stored. Used in-memory only. Expire after 15 minutes automatically. |
Delete the IAM role from your AWS account. That's it. We can no longer assume the role and all future scan attempts will fail.
AWS Console → IAM → Roles → Find the CloudOperator role → Delete
Or via CLI: aws iam delete-role --role-name CloudOperatorReadOnly
We are transparent about where we are in our compliance journey:
You don't have to trust our word. Here's how to verify independently:
DescribeInstances, ListBuckets, GetCallerIdentity, and DescribeRegions.If you're running a vendor security review, we're happy to answer a security questionnaire or get on a call.
Contact security team