Guides

Security & Permissions Model

TierPilot's security posture rests on two principles: least privilege (we request only what the service strictly needs) and architectural privacy (the sensitive work happens in your account, so trust doesn't depend on our promises).

The cross-account role

The connector stack creates one IAM role assumable by TierPilot's control plane, protected by an ExternalId unique to your account. Its policy, in full:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DiscoverBuckets",
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Resource": "*"
    },
    {
      "Sid": "ManageMonitoredBuckets",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLogging", "s3:PutBucketLogging",
        "s3:GetLifecycleConfiguration",
        "s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "InvokeInAccountComponents",
      "Effect": "Allow",
      "Action": ["lambda:InvokeFunction"],
      "Resource": "arn:aws:lambda:*:*:function:tierpilot-*"
    }
  ]
}

What we can never do

  • Read your objects. No s3:GetObject anywhere — not in the cross-account role, and the collector's in-account role can read only the access-log and inventory buckets the stack creates.
  • Delete your objects. No s3:DeleteObject. Storage-class transitions are the only mutation the operator performs, via copy-in-place with x-amz-storage-class.
  • De-anonymize your metadata. Key tokenization uses an HMAC salt generated in your account and stored in your Secrets Manager. TierPilot's servers never receive it.
  • Act outside your guardrails. Excluded prefixes and tier floors are enforced by the operator in your account — not by our control plane — so a compromise of our side cannot bypass them.

Operator API authentication

Transition plans are signed with a per-account Ed25519 key pair; the operator holds the public key and rejects unsigned, expired, or replayed plans (each plan carries a nonce and a 24-hour validity window). See the Operations API reference for details.

Auditability

  • Every S3 API call the operator makes appears in your CloudTrail, attributable to the operator's role.
  • Every executed plan is archived in your account (S3, in the stack's audit prefix) with the full token-to-decision mapping, so you can reconstruct exactly why each object moved.
  • The connector stack is plain CloudFormation + published Lambda source — inspect everything before deploying.

Data handling on our side

  • Anonymized aggregates are encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Aggregates are retained for 13 months to support seasonality-aware modeling, then deleted.
  • Enterprise plans include a DPA, PrivateLink connectivity (no traffic over the public internet), and configurable retention.