Security | Cloudventory Permissions, Data Access, and Encryption

Security is foundational to Cloudventory’s design. The platform is built to provide visibility into AWS environments without introducing risk.

Permissions

Cloudventory connects to AWS using a read-only IAM role.

The role uses AWS-managed policies only:

Policy	Purpose
`SecurityAudit`	Read access to security-related configurations
`ReadOnlyAccess`	Read access to AWS service resources

No write permissions.
No wildcard (*) actions.
Permissions are fully auditable in your AWS account.

Cloudventory cannot create, modify, or delete any AWS resources.

We read resource metadata to build your inventory and generate insights, nothing more.

Cloudventory collects metadata only, including:

Resource IDs, names, ARNs, and tags
Configuration details (e.g., instance types, bucket policies, security group rules)
Relationships between resources
Status and timestamp information

Cloudventory does not access or store:

Secrets Manager or Parameter Store values
Environment variables
- Lambda function environment variables: While the AWS Lambda API returns environment variables as part of function metadata, Cloudventory immediately strips the entire environment variable block from API responses before any persistence or logging occurs. Cloudventory never stores, logs, or retains environment variable values, ensuring customer secrets are not collected or handled in any form. This behavior enforces our metadata-only policy and eliminates the risk of storing sensitive keys or credentials.
Lambda function code
S3 object contents
Database contents
EC2 UserData
Credentials, keys, or tokens belonging to your workloads

We store only the role ARN.

Temporary credentials are requested at scan time via AWS STS and expire automatically (typically within 1 hour). No credentials are persisted.

If access keys are used:

For security inquiries or documentation requests, contact: security@cloudventory.io