🌰 How we access your AWS account
Plain-language summary of what Savings Squirrel Copilot can and can't do once you connect an account.
Read-only, by construction
You connect your AWS account by deploying a CloudFormation template we generate for you. It creates one IAM role with a fixed, read-only permission set — we never ask for write access, and there is no way for us to request broader permissions later without you deploying a new template. Today that permission set is:
ce:GetCostAndUsage— billing datacompute-optimizer:Get*,ec2:Describe*,ec2:List*— instance and volume metadataelasticloadbalancing:Describe*,rds:Describe*,rds:List*— load balancer and database metadatas3:List*,s3:GetBucketLocation,s3:GetBucketTagging— bucket listing and tags, never object contents
External ID, not a shared secret
The trust policy requires a random, per-account external ID (the cross-account access pattern AWS itself recommends) — nobody else can assume the role, even if they guessed our account ID.
Where it runs
Account scanning runs in AWS us-east-1; this site runs on Vercel. Findings are stored in a dedicated Postgres database; nothing is shared with or sold to third parties.
What we haven't done yet
We're an early-stage product and don't have a SOC 2 report yet — that's a multi-month undertaking we're deliberately deferring until it's actually warranted. If a formal audit is a hard requirement for your organization today, tell us — it changes our timeline.
← Back