Security & Trust

How GetInfraDesk connects to your AWS account

InfraDesk connects via a read-only IAM role. We scan. We suggest. We document. Nothing changes in your AWS account until your team explicitly approves it.

✓ Read-only IAM scan

✓ CloudFormation setup — no credential sharing

✓ External ID protected

✓ No changes during scan

✓ Approval required before every fix

✓ Revoke in 60 seconds

👁️

Read-only IAM access

🚫

No production changes during scan

✋

Approval required before every fix

🗑️

Revoke access anytime from AWS Console

Read-only by default

InfraDesk scans. Your team decides. Nothing changes without approval.

During every scan, InfraDesk uses read-only AWS permissions. It reads resource metadata, cost data, CloudWatch metrics, and tag information to build your waste report. It does not modify, stop, delete, or change any AWS resource during scan.

Supported cleanup actions are presented as a fix plan in your Waste Inbox. Each action requires your explicit approval before anything is executed. You decide what to act on and when.

Data access

What InfraDesk reads

EC2

Instance state, type, launch time, tags

EBS

Volume state, size, attachment status, tags

RDS

Instance state, engine, size, tags

Elastic Load Balancing

Load balancer state, target group health

Elastic IPs

Allocation and association status

Cost Explorer

Monthly and daily cost and usage data

CloudWatch

CPU and network metrics for idle detection

Resource Groups Tagging

Tag keys and values for owner gap analysis

IAM (read-only)

GetCallerIdentity to verify role assumption

Organizations (optional)

Account list for multi-account org discovery

What InfraDesk never reads

✗Application source code or repositories

✗S3 bucket contents or object data

✗Secrets Manager or Parameter Store values

✗Database contents or query data

✗CloudTrail log contents

✗VPC traffic or network packet data

✗IAM user passwords or access keys

✗KMS key material

✗Personal data or PII stored in AWS

AWS access

How AWS access works

You deploy a read-only CloudFormation stack

A one-click CloudFormation template creates a read-only IAM role in your AWS account. The template is open-source on GitHub — review every permission before you deploy a single resource.

InfraDesk assumes the role with External ID

InfraDesk uses AWS STS AssumeRole with a unique External ID embedded in your role trust policy. This prevents any other AWS account from assuming your role — even if they know the role ARN.

Scan runs with read-only access

InfraDesk reads resource metadata, cost data, and CloudWatch metrics. No credentials are stored. The temporary session expires automatically.

You review the waste report

Your Waste Inbox shows idle resources with evidence, monthly cost, and risk level. Supported fix plans require your explicit approval before anything executes.

The CloudFormation template is open-source. Review it on GitHub →

External ID — Confused Deputy Protection

What is the External ID?

When InfraDesk assumes your IAM role using AWS STS, it must provide a unique External ID that matches the one embedded in your role trust policy. This is a security mechanism that prevents the confused deputy attack.

How confused deputy protection works:

Without External ID — any AWS account that knows your role ARN could potentially assume it.

With External ID — even if someone knows your role ARN, they cannot assume it without the secret External ID that only InfraDesk knows.

Your External ID is unique to your InfraDesk account and is embedded in the CloudFormation template during setup.

✓ The External ID is generated uniquely per InfraDesk account. You cannot use one customer's External ID to access another customer's AWS account.

IAM Policy — Read-only Scan Role

The exact permissions InfraDesk requests

Every permission in the read-only scan role is listed in the open-source CloudFormation template. Here is the scope of what InfraDesk can read during a scan:

// Read-only scan role — selected actions
"ec2:Describe*",   // instance state, volumes, IPs, SGs
"rds:Describe*",   // instance state, engine, size
"elasticloadbalancing:Describe*",  // LB state, target groups
"cloudwatch:GetMetricStatistics",  // CPU, network — idle detection
"ce:GetCostAndUsage",   // cost data only
"tag:GetResources",   // tag key/value pairs
"sts:GetCallerIdentity",  // verify role assumption
"organizations:ListAccounts",  // multi-account discovery (optional)
// No s3:GetObject, no secretsmanager:*, no iam:* write actions

View full policy on GitHub →View IAM permissions doc →

Cleanup / Remediation Role

The cleanup role is separate — and approval-gated

The read-only scan role cannot make any changes. If you choose to use InfraDesk's approval-based fix plans, a separate, scoped cleanup role is deployed with only the minimum permissions needed for the specific actions you approve.

✓The cleanup role is opt-in — you deploy it only if you want to use fix plans.

✓Fix actions only execute after your explicit approval in the InfraDesk dashboard.

✓The cleanup role is scoped to the minimum permissions needed — not a broad admin role.

✓Every action taken via the cleanup role is logged in your audit trail with timestamp and approver.

⚠ The scan role and the cleanup role are completely separate IAM roles. Deploying the scan role does not give InfraDesk any write access.

Revoke access

Remove InfraDesk access anytime

You can remove InfraDesk access to your AWS account at any time by deleting the CloudFormation stack.

Open AWS Console → CloudFormation → Stacks

Find the stack named InfraDeskAccess-* (or the name you chose)

Select the stack → click Delete

Confirm deletion — the IAM role is removed immediately

✓ Revoking access does not delete or modify any AWS resource. Your existing reports remain in InfraDesk.

Full revoke instructions →

Data handling

What InfraDesk stores

AWS credentials

Never stored. Role-based access only.

Resource metadata

Stored to generate your waste report (instance IDs, sizes, tags, state).

Cost data

Monthly and daily spend stored for reporting.

CloudWatch metrics

Used for idle detection. Not stored long-term.

S3 contents

Never accessed or stored.

Database data

Never accessed or stored.

Secrets or keys

Never accessed or stored.

FAQ

Security questions

Can InfraDesk delete my AWS resources?

No. During scan, InfraDesk uses read-only permissions only. For supported cleanup actions, InfraDesk shows you a fix plan. You must explicitly approve each action. Nothing is executed without your approval.

Does InfraDesk store my AWS credentials?

No. InfraDesk never stores AWS access keys or secret keys. Access is granted through a cross-account IAM role using AWS STS AssumeRole with a unique External ID. Your credentials are never transmitted to InfraDesk.

What is the External ID and why is it required?

The External ID is a unique string added to your IAM role trust policy. It prevents the confused deputy attack — ensuring only InfraDesk can assume the role, not any other AWS account that might guess the role ARN.

How do I revoke InfraDesk access?

Delete the CloudFormation stack named InfraDeskAccess-* from your AWS Console. This removes the IAM role immediately. InfraDesk cannot access your account after the role is deleted.

Does revoking access delete my data or reports?

No. Revoking access only removes InfraDesk ability to scan your account going forward. Your existing waste reports remain accessible in your InfraDesk dashboard.

Can I review the CloudFormation template before deploying?

Yes. The full CloudFormation template is open-source and available on GitHub. You can review every permission before deploying.

Does InfraDesk access my S3 data or database contents?

No. InfraDesk reads resource metadata only — instance state, volume size, tags, cost data. It never reads S3 object contents, database data, secrets, or application code.

What happens if I approve a fix and something goes wrong?

For supported actions, InfraDesk shows pre-action context before execution. Some actions support snapshot-based recovery where available. All approved actions are logged in your audit trail. InfraDesk does not guarantee rollback for all resource types — review the pre-action context before approving.

Ready to connect your AWS account?

Read-only access. No production changes during scan.

Scan My AWS Account Free →View IAM permissions →