Security & AWS Access

TL;DR

Read-only access: The Foreman cannot create, modify, or delete infrastructure.
Temporary credentials only: Access is assumed via IAM role and expires automatically.
You control revocation: Delete the role anytime to remove access immediately.
AWS-recommended pattern: IAM role assumption + External ID for third-party access.

How Access Works

The Foreman uses AWS IAM Role Assumption with External ID protection. Instead of storing permanent credentials, each scan gets short-lived read-only credentials from AWS STS.

1. You create the role in your AWS account

You own the role and permission policy. The Foreman account is allowed to assume it with your External ID.

2. You provide role ARN + External ID

These values let The Foreman request temporary credentials for scheduled scans.

3. AWS issues temporary credentials

At scan time, STS validates trust policy + External ID and returns short-lived credentials.

4. Foreman performs read-only scans

Only metadata and metrics are fetched to detect waste. Credentials then expire automatically.

Permission Model

The Foreman requests read-only API actions to list resources and pull utilization metrics.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:DescribeAddresses",
        "ec2:DescribeNatGateways",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeImages",
        "rds:DescribeDBInstances",
        "rds:DescribeDBSnapshots",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "ecr:DescribeRepositories",
        "ecr:DescribeImages",
        "elasticache:DescribeCacheClusters",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancingv2:DescribeLoadBalancers",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "eks:ListClusters",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    }
  ]
}

What We Can and Can't Do

Can Do

Read resource metadata
Read CloudWatch metrics
List resources and configurations
Estimate cost impact and potential savings

Can't Do

Stop, start, terminate, or create resources
Delete databases, volumes, or snapshots
Modify IAM, networking, or application config
Read S3 objects or database content

Ready to scan with confidence?

Read-only access, temporary credentials, and full customer control.