Security

Zero-Write Architecture

EgressPulse operates with strictly read-only access to your cloud environment. Our cross-account IAM roles have zero write permissions. We cannot create, modify, or delete any resources in your accounts. You can verify this by inspecting the IAM policy attached to the EgressPulse role in your account.

Cross-Account Access Controls

• External ID verification - Every cross-account role uses a unique External ID to prevent confused deputy attacks.
• Temporary credentials - Sessions last 15 minutes maximum. No long-lived credentials are stored.
• Scoped permissions - Access is limited to specific log buckets. No broad S3 or EC2 access.
• Instant revocation - Delete the IAM role in your account to immediately revoke all EgressPulse access.

Encryption

• At rest - All detection data encrypted with AES-256 (AWS KMS managed keys).
• In transit - TLS 1.2+ enforced on all connections. No unencrypted traffic.
• Secrets - Database credentials and API keys stored in AWS Secrets Manager with KMS encryption.

Infrastructure Security

• Serverless compute - AWS Lambda functions with no persistent servers to patch or maintain.
• VPC isolation - All processing happens within a private VPC with no public ingress.
• Infrastructure as Code - All infrastructure defined in Terraform with automated security scanning (Checkov, Trivy).
• Dependency scanning - Automated vulnerability scanning on every code change (Snyk, pip-audit).

Compliance Certifications

Audit Trail

Every access from EgressPulse to your environment is logged in your own AWS CloudTrail. You have full visibility into when, where, and what EgressPulse queried. We maintain separate internal audit logs for all platform operations.

Vulnerability Disclosure

If you discover a security vulnerability in EgressPulse, please report it to security@egresspulse.com. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.