Security at Cloudventory

Who Built This

Cloudventory is built and operated by a security professional with hands-on experience in AWS security architecture, DevOps, and vCISO engagements. Security isn’t an afterthought — it’s the foundation of the product.

Credential Handling

We recommend connecting via IAM cross-account role. With this method:

• No long-term credentials are stored
• We assume a read-only role temporarily during scans
• No write, modify, or delete actions are permitted by the role
• You control the trust relationship and can revoke access instantly

If you use access keys instead, they are encrypted at rest using AES-256.

What We Access

Cloudventory collects resource metadata only:

• Resource IDs, names, tags, and configurations
• Relationships between resources (VPCs, subnets, security groups)
• Account and region information

We never access:

• Secrets, credentials, or environment variables
• S3 object contents or application data
• Database contents
• Lambda environment variables (even though AWS APIs expose them)
• CloudWatch logs or application logs

Encryption

• In transit: TLS 1.2+ for all connections
• At rest: AES-256 encryption for stored credentials and data
• Passwords: Hashed and salted, never stored in plain text

Tenant Isolation

All customer data is logically separated at the database level. Each organization's resources, credentials, and scan results are isolated and inaccessible to other tenants.

Infrastructure

• Hosted on AWS (US regions)
• Managed database with automated backups
• Infrastructure defined as code
• Regular vulnerability scanning with industry-standard tools

Compliance

We provide a completed CAIQ-Lite questionnaire upon request to streamline your vendor security review.

Independent third-party audit planned as we scale.