Designed with security at the foundation
We audit your AWS environment without ever touching your infrastructure. Here’s exactly how we handle access, data, and trust.
How access works
You create the role
You create a read-only IAM role in your account with our trust policy. You are always in control.
We assume it temporarily
KloudLytics calls STS AssumeRole with your external ID to get short-lived credentials for a single scan.
Credentials expire automatically
Temporary credentials auto-expire. We never persist access tokens or store long-lived credentials.
IAM role setup reference
The on-boarding wizard guides you through this interactively. For teams that prefer to review or automate the setup before signing up, here are both paths.
AWSTemplateFormatVersion: "2010-09-09"
Description: KloudLytics read-only security audit role
Parameters:
ExternalId:
Type: String
Description: Unique external ID — provided during KloudLytics onboarding
Resources:
KloudLyticsAuditRole:
Type: AWS::IAM::Role
Properties:
RoleName: KloudLyticsAuditRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
# KloudLytics AWS account — shown during onboarding
AWS: arn:aws:iam::KLOUDLYTICS_ACCOUNT_ID:root
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/ReadOnlyAccess
Outputs:
RoleArn:
Description: Paste this ARN into KloudLytics to complete setup
Value: !GetAtt KloudLyticsAuditRole.ArnRead-only. Agentless. Your data stays yours.
KloudLytics is designed with security at the foundation. We audit your environment without ever touching your data or infrastructure.
Read-Only Access
KloudLytics never writes to your AWS account. All permissions are read-only by design.
Agentless Architecture
No agents, no SDKs installed in your environment. Scans run from outside via AWS APIs.
Your Data Stays Yours
Collected data is isolated per organization. We never cross-reference accounts between customers.
External ID Trust
Cross-account roles require a unique external ID — protecting against confused deputy attacks.
Security FAQ
What AWS permissions does KloudLytics require?
KloudLytics only requires read-only IAM permissions. We use AWS managed policies (SecurityAudit, ReadOnlyAccess) scoped to the services we analyze. We never request write permissions of any kind.
How does cross-account access work?
You create an IAM role in your AWS account with a trust policy that allows KloudLytics's AWS account to assume it. The role requires a unique external ID we generate — this prevents confused deputy attacks where another AWS customer could trick AWS into granting them access.
Where is my scan data stored?
Collected JSON data from your AWS account is stored in S3 buckets scoped to your organization ID. It is never shared with other customers. Reports and findings are stored in an isolated PostgreSQL database with row-level organization scoping.
Does KloudLytics install anything in my environment?
No. KloudLytics is fully agentless. We connect to your account via the AWS API using the STS AssumeRole API. Nothing is installed, deployed, or run inside your AWS account.
Is the connection encrypted?
Yes. All communication between KloudLytics and your AWS account happens over HTTPS/TLS. AWS API calls are signed with STS-issued temporary credentials that expire automatically.
How long are credentials valid?
KloudLytics uses STS AssumeRole to generate short-lived temporary credentials for each scan. These credentials expire automatically and are never stored long-term.
Start securing your AWS
in minutes, not months.
Agentless setup. No credit card required. Get your first posture score in under 5 minutes.