Security
IdleLens is read-only. It never modifies, stops, or deletes AWS resources. Here is exactly how access works.
How access works
You create an IAM role in your AWS account using our CloudFormation template. The role includes an External ID condition — a secret shared only between you and IdleLens — so even if someone discovers your role ARN, they cannot assume it without the External ID.
IdleLens assumes the role only during scans. It never stores your AWS credentials or the assumed-role session tokens. The role can be deleted from your AWS console at any time to revoke access instantly.
Exact permissions
The IAM policy is scoped to read-only Describe, List, Get, and CloudWatch actions. No Delete*, Stop*, Terminate*, Update*, Put*, or Create* actions appear in the policy — enforced by the policy itself, not just by convention.
| Service | Actions |
|---|---|
| STS | sts:GetCallerIdentity |
| Cost Explorer | ce:GetCostAndUsage |
| CloudWatch | cloudwatch:GetMetricStatistics, cloudwatch:GetMetricData, cloudwatch:ListMetrics |
| EC2 | ec2:DescribeAddresses, ec2:DescribeImages, ec2:DescribeInstances, ec2:DescribeNatGateways, ec2:DescribeNetworkInterfaces, ec2:DescribeSnapshots, ec2:DescribeTransitGatewayAttachments, ec2:DescribeVolumes, ec2:DescribeVpcEndpoints, ec2:DescribeRegions |
| ELB v2 | elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, elasticloadbalancing:DescribeTags |
| RDS | rds:DescribeDBInstances, rds:ListTagsForResource |
| Lambda | lambda:ListFunctions, lambda:ListEventSourceMappings, lambda:ListProvisionedConcurrencyConfigs, lambda:ListTags, lambda:GetFunction, lambda:GetPolicy |
| CloudWatch Logs | logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents, logs:ListTagsLogGroup |
| ACM Private CA | acm-pca:ListCertificateAuthorities, acm-pca:DescribeCertificateAuthority, acm-pca:ListTags |
| SageMaker | sagemaker:ListEndpoints, sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:ListTags |
What IdleLens stores
- Your AWS account ID and connected region list
- Resource IDs and metadata needed to describe findings (instance IDs, volume IDs, ARNs)
- Resource tags, used to identify protected or exempted resources
- CloudWatch metric evidence backing each finding
- Estimated monthly cost per finding (list-price, ±15% accuracy)
- Scan history and finding status (open / snoozed / resolved)
What IdleLens never stores
- Application data, source code, or database contents
- Secrets, credentials, or API keys
- S3 object contents or EBS volume data
- Customer workload traffic or application logs
- AWS assumed-role session tokens (used transiently during scan only)
Data retention
Scan results and findings are retained for 90 days. To request earlier deletion of your workspace data, email support@idlelens.com.
Responsible disclosure
Found a security issue? Email support@idlelens.com directly. We respond within one business day during the pilot phase.