Security
How BobSentry Accesses Your AWS Account Safely
Security is foundational to BobSentry. We designed our AWS access model to give you complete control while enabling thorough security scanning.
Read-Only IAM Role
BobSentry connects to your AWS account using a scoped, read-only IAM role. We only request the permissions needed to enumerate your cloud configuration — we never create, modify, or delete any resources in your account.
The IAM policy is built on SecurityAudit and specific Describe* / List* / Get* actions only.
Temporary STS Tokens
Every scan uses AWS Security Token Service (STS) to assume your IAM role and obtain short-lived, temporary credentials. These tokens expire automatically after the scan completes — typically within 60 seconds.
We never request or handle long-lived access keys. Each scan starts with a freshsts:AssumeRole call with a unique external ID for your organization.
No Credentials Stored
BobSentry does not store any AWS credentials — no access keys, no secret keys, no session tokens. We store only the IAM role ARN and external ID needed to initiate the STS assume-role call at scan time.
Your AWS credentials never touch our database or storage systems.
Access Revocable Anytime
You are always in control. To revoke BobSentry's access, simply delete or modify the IAM role in your AWS account. Access is severed immediately — no coordination with BobSentry required.
You can also remove the connected AWS account from your BobSentry dashboard settings at any time.
Summary
| Access method | Cross-account IAM role (sts:AssumeRole) |
| Credential type | Temporary STS tokens (auto-expire) |
| Permissions scope | Read-only (SecurityAudit + scoped Describe/List/Get) |
| Credentials stored | None — only role ARN and external ID |
| Revocation | Delete the IAM role or remove from dashboard |
| Scan duration | Typically under 60 seconds |
Ready to scan your AWS environment?
Connect in minutes with a read-only IAM role. No credit card required.