Security
Built so your security team can say yes.
Cloud Watchdog operates inside your cloud account. We treat that access with the seriousness it deserves: least-privilege roles, no long-lived credentials, public role templates, and a hard rule that production resources are never auto-stopped.
We never store cloud credentials
Onboarding deploys a small role template; our backend assumes that role with a unique per-account secret. We hold no long-lived cloud credentials for your account.
Read-only mode is the default
Start alert-only. Circuit-breaker permissions are an explicit second template you opt into per account.
No destructive permissions in v0
We never request Delete*, IAM mutation, NAT/RDS/EBS deletion, or wildcard write actions.
Production stays locked
Resources tagged env=prod cannot be auto-stopped — enforced both in our application code and in IAM Conditions.
Open-source IAM templates
Our CloudFormation templates are public. Audit the exact permissions before you deploy.
Audit trail on every action
Every detection, notification, cancel, action, and restore creates an append-only audit row.
What we ask for
Two CloudFormation templates. You pick which one.
Detect & alert
Cost Explorer, CloudWatch metrics, resource describes, and tag reads. No write actions, no auto-stop possible.
- + ce:GetCostAndUsage, ce:GetCostForecast
- + cloudwatch:GetMetricStatistics
- + ec2:Describe*, lambda:List/Get*
- + ecs/rds/elb describes, tag:GetResources
Detect, alert, and stop on dev/staging
Adds three scoped write permissions. IAM Conditions restrict actions to resources tagged env=dev or env=staging with the Cloud Watchdog managed tag.
- + ec2:StopInstances
- + lambda:PutFunctionConcurrency
- + ecs:UpdateService