Guides
Security & Permissions Model
TierPilot's security posture rests on two principles: least privilege (we request only what the service strictly needs) and architectural privacy (the sensitive work happens in your account, so trust doesn't depend on our promises).
The cross-account role
The connector stack creates one IAM role assumable by TierPilot's control plane, protected by an ExternalId unique to your account. Its policy, in full:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DiscoverBuckets",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Resource": "*"
},
{
"Sid": "ManageMonitoredBuckets",
"Effect": "Allow",
"Action": [
"s3:GetBucketLogging", "s3:PutBucketLogging",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration", "s3:PutInventoryConfiguration"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "InvokeInAccountComponents",
"Effect": "Allow",
"Action": ["lambda:InvokeFunction"],
"Resource": "arn:aws:lambda:*:*:function:tierpilot-*"
}
]
}
What we can never do
- Read your objects. No
s3:GetObjectanywhere — not in the cross-account role, and the collector's in-account role can read only the access-log and inventory buckets the stack creates. - Delete your objects. No
s3:DeleteObject. Storage-class transitions are the only mutation the operator performs, via copy-in-place withx-amz-storage-class. - De-anonymize your metadata. Key tokenization uses an HMAC salt generated in your account and stored in your Secrets Manager. TierPilot's servers never receive it.
- Act outside your guardrails. Excluded prefixes and tier floors are enforced by the operator in your account — not by our control plane — so a compromise of our side cannot bypass them.
Operator API authentication
Transition plans are signed with a per-account Ed25519 key pair; the operator holds the public key and rejects unsigned, expired, or replayed plans (each plan carries a nonce and a 24-hour validity window). See the Operations API reference for details.
Auditability
- Every S3 API call the operator makes appears in your CloudTrail, attributable to the operator's role.
- Every executed plan is archived in your account (S3, in the stack's audit prefix) with the full token-to-decision mapping, so you can reconstruct exactly why each object moved.
- The connector stack is plain CloudFormation + published Lambda source — inspect everything before deploying.
Data handling on our side
- Anonymized aggregates are encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Aggregates are retained for 13 months to support seasonality-aware modeling, then deleted.
- Enterprise plans include a DPA, PrivateLink connectivity (no traffic over the public internet), and configurable retention.