Built read-only from day one
Security scanning shouldn't introduce risk. InfraSweep only ever looks. Here's exactly how your access and data are protected.
Read-only, always
AWS: a cross-account IAM role with only AWS-managed read-only policies (SecurityAudit + ViewOnlyAccess). GCP: a service account with roles/viewer. Azure: a service principal with the built-in Reader role. Alibaba Cloud: ReadOnlyAccess, or a RAM role via STS. OCI: a read-only IAM policy. InfraSweep is technically incapable of changing your infrastructure.
You hold the keys
AWS cross-account roles use a unique ExternalId and trust only our scanner principal. Revoke access any time by deleting one role, service account, or app registration. We never ask for console or root credentials.
Encrypted at rest
Role-based connections (AWS, Alibaba RAM) store no secret at all. Where a connection uses a key or secret (GCP service-account key, Azure client secret, AWS or Alibaba access keys, OCI signing key), it's envelope-encrypted before it ever touches the database and is never returned by any API or shown again after entry.
Tenant isolation
Every account, scan, and finding is scoped to your tenant. Data is partitioned and access-checked on every request.
Traceable findings
Each finding links to the exact raw API response behind it. We keep the evidence for every finding, so your team can verify every recommendation independently.
No telemetry, no surprise actions
InfraSweep never auto-remediates and sends no telemetry. It shows you the fix command; you decide whether and when to run it.
# The only permissions InfraSweep ever uses
# AWS: cross-account role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
# GCP: service account
roles/viewer
# Azure: service principal
Reader (built-in role)
# Alibaba Cloud: RAM
ReadOnlyAccess (or a RAM role assumed via STS)
# OCI: a read-only IAM policy
Allow group InfraSweep to read all-resources in tenancy What we keep, and what we don't
A straight answer on how your data is handled today.
What we keep
- Your connection config (role ARNs, project/tenant IDs) and, for key-based connections, the secret, envelope-encrypted.
- Your scan findings and report, retained for your plan's window so you can review and export them.
- Your account email and billing details (handled through Stripe).
What we never do
- Store a credential in plaintext, or show a secret again after you enter it.
- Write to your cloud or auto-remediate. We show the fix; you decide whether to run it.
- Send telemetry, or sell or share your data.
Where we're headed
We're driving data liability to the minimum. These are on the roadmap, not shipped yet, and we'll say so here the moment each is live.
- Credentials never stored. Moving every cloud to a role/federation connection so no secret is ever written to our database.
- Ephemeral scans. On every plan but Enterprise: we run the scan, you download or email yourself the report, and nothing is retained on our side.
- Enterprise retention. Opt-in stored history and before/after diff, under a DPA.
- A formal security program (SOC 2) as we grow.