Security & Compliance

AccessLens is built with enterprise-grade security and compliance at its core. Learn how we protect your data and secure your AWS infrastructure.

Security Documentation

Security Architecture

Comprehensive documentation of our security controls and data protection measures.

Contact for Security Overview →

Security Testing

Regular security assessments and vulnerability testing by certified professionals.

Contact for Testing Summary →
AWS Partner Network Member - AccessLens

AWS Partner Network Member

AccessLens is a verified AWS Partner, meeting strict technical and business requirements for security, reliability, and customer success.

✓ Verified AWS Partner

Cross-Account Access Security

How It Works

1

IAM Role Creation

You create a read-only IAM role in your AWS account using our CloudFormation template.

2

External ID Verification

AccessLens uses a unique External ID to assume the role, preventing confused deputy attacks.

3

Read-Only Access

AccessLens only receives read permissions for IAM resources - no write or modify capabilities.

4

Secure Analysis

Data is analyzed in our secure environment and results are stored encrypted.

Security Benefits

No AWS credentials stored
External ID prevents unauthorized access
Read-only permissions only
You control access revocation
CloudTrail logs all access

External ID Security

Confused Deputy Problem

Without External ID, malicious actors could trick AccessLens into accessing unintended accounts.

External ID Solution

Each customer gets a unique External ID that must be provided when assuming the role.

Secure Access

Only AccessLens with your specific External ID can access your account's IAM data.

Read-Only Permissions Documentation

Exact IAM Permissions Required

AccessLens requires only the following read-only permissions to analyze your IAM security posture:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:GetUser",
        "iam:GetUserPolicy",
        "iam:GetGroup",
        "iam:GetGroupPolicy",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListRoles",
        "iam:ListUsers",
        "iam:ListGroups",
        "iam:ListPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedGroupPolicies",
        "iam:ListRolePolicies",
        "iam:ListUserPolicies",
        "iam:ListGroupPolicies"
      ],
      "Resource": "*"
    }
  ]
}

What We CAN Do:

  • • Read IAM roles, users, and groups
  • • Read attached and inline policies
  • • Analyze trust relationships
  • • Identify permission patterns

What We CANNOT Do:

  • • Create, modify, or delete IAM resources
  • • Access your application data
  • • Modify security policies
  • • Perform any write operations

Data Handling & Retention Policies

Data Collection

  • Only IAM metadata is collected
  • No application data or secrets
  • Encrypted in transit and at rest
  • Stored in AWS US regions only

Data Retention

  • Scan data retained for 90 days
  • Reports retained for 1 year
  • Account data deleted within 30 days of cancellation
  • Immediate deletion available on request

Questions About Security?

Our security team is available to discuss your specific requirements, compliance needs, and implementation details. We typically respond within 24 hours.

24-hour response time
Direct access to security engineers
Confidential consultation

Contact Security Team

* Required fields