Security

IdleLens is read-only. It never modifies, stops, or deletes AWS resources. Here is exactly how access works.

How access works

You create an IAM role in your AWS account using our CloudFormation template. The role includes an External ID condition — a secret shared only between you and IdleLens — so even if someone discovers your role ARN, they cannot assume it without the External ID.

IdleLens assumes the role only during scans. It never stores your AWS credentials or the assumed-role session tokens. The role can be deleted from your AWS console at any time to revoke access instantly.

Exact permissions

The IAM policy is scoped to read-only Describe, List, Get, and CloudWatch actions. No Delete*, Stop*, Terminate*, Update*, Put*, or Create* actions appear in the policy — enforced by the policy itself, not just by convention.

ServiceActions
STSsts:GetCallerIdentity
Cost Explorerce:GetCostAndUsage
CloudWatchcloudwatch:GetMetricStatistics, cloudwatch:GetMetricData, cloudwatch:ListMetrics
EC2ec2:DescribeAddresses, ec2:DescribeImages, ec2:DescribeInstances, ec2:DescribeNatGateways, ec2:DescribeNetworkInterfaces, ec2:DescribeSnapshots, ec2:DescribeTransitGatewayAttachments, ec2:DescribeVolumes, ec2:DescribeVpcEndpoints, ec2:DescribeRegions
ELB v2elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, elasticloadbalancing:DescribeTags
RDSrds:DescribeDBInstances, rds:ListTagsForResource
Lambdalambda:ListFunctions, lambda:ListEventSourceMappings, lambda:ListProvisionedConcurrencyConfigs, lambda:ListTags, lambda:GetFunction, lambda:GetPolicy
CloudWatch Logslogs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents, logs:ListTagsLogGroup
ACM Private CAacm-pca:ListCertificateAuthorities, acm-pca:DescribeCertificateAuthority, acm-pca:ListTags
SageMakersagemaker:ListEndpoints, sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:ListTags

What IdleLens stores

What IdleLens never stores

Data retention

Scan results and findings are retained for 90 days. To request earlier deletion of your workspace data, email support@idlelens.com.

Responsible disclosure

Found a security issue? Email support@idlelens.com directly. We respond within one business day during the pilot phase.