Security

How we keep your cloud access safe

CloudBudgetMaster needs read-only access to find waste — and nothing more. Here is exactly what we do, and what we will never do.

Read-only by design

Every cloud API call we make is read-only. We list and describe resources and read billing data — we never create, modify, stop, or delete anything in your account.

Encrypted credentials

Cloud credentials are encrypted with AES-256 (Fernet) before they are written to the database, and decrypted only in memory at scan time. They are never stored in plaintext and never written to logs.

Per-account data isolation

The database enforces Row-Level Security, and every query is additionally scoped to your user ID. Your resources, costs, and alerts are only ever visible to you.

Authenticated access

Accounts are protected by JWT sessions issued by our own backend on every request, plus email verification and a strong-password policy at signup.

The permissions we ask for

For AWS you attach a read-only IAM user. Representative permissions:

ce:GetCostAndUsage
ec2:DescribeInstances        ec2:DescribeVolumes
rds:DescribeDBInstances      cloudwatch:GetMetricStatistics
ec2:DescribeAddresses        ec2:DescribeRegions

No write, delete, or modify permissions are ever requested.

What we never do

Modify, stop, or delete any of your cloud resources
Store cloud credentials in plaintext or log them anywhere
Request write access to your infrastructure
Sell, share, or use your usage data for anything other than your dashboard

Found a security issue? Please reach out via our contact page — we take reports seriously.