CloudBooster logo

How CloudBooster handles security: BYOA, least privilege, and full audit trail

CloudBooster is bring-your-own-account: your apps and data stay in your AWS. We run a control plane that governs how changes are proposed, checked, approved, and applied, with a focus on least-privilege access, an audit trail, and clear separation of duties for production paths.

What does bring-your-own-account mean for you?

Bring-your-own-account means the compute and data that matter to your business stay in your AWS tenancy. CloudBooster’s service runs the governance workflow: plans, checks, approvals, and recorded outcomes, without re-hosting your applications on our infrastructure. The boundary matters for data residency, billing, and trust: the blast radius stays in accounts you scope and own.

We separate the control plane (decisions, policy, metadata) from the data plane in your account. We store what is required to operate the product and evidence of changes, not your application’s customer data in place of your own storage. Access is limited by the integrations and roles you enable: enough to run checks and apply, scoped to what you connect, not organization-wide admin by default. You control creation and rotation of the integration and can revoke trust from your side when your posture changes.

What IAM permissions does CloudBooster need?

We design for least privilege: scoped roles, resource boundaries that match what you manage, and no blanket org admin policy as a default. The exact policy is versioned in onboarding. Read to plan and validate, write to apply an approved change, audit through the APIs your account already exposes. You keep control of who creates and rotates the role. Use dedicated roles, add condition keys where they help, and keep non-production and production separate. We avoid the wildcard-across-Org pattern that often appears in a post-mortem.

The JSON below is illustrative. In production, use the onboarding-generated policy, not this snippet. Replace actions and ARNs with the real least-privilege set your deployment needs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudBoosterDescribe",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "cloudformation:Describe*",
        "iam:GetRole",
        "iam:ListRolePolicies"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudBoosterApplyScoped",
      "Effect": "Allow",
      "Action": ["cloudformation:*", "ec2:RunInstances"],
      "Resource": "arn:aws:ec2:eu-central-1:ACCOUNT:instance/*"
    }
  ]
}

What do you get in the audit trail?

For each ChangeSet you can show who proposed it, which checks passed or failed, who approved, what ran, and what you recorded afterward. That is one coherent chain, not a pile of logs you stitch together. Retention, export, and which roles can read audit data are tiered in the commercial plans; higher tiers add SIEM-style export and longer retention. The product record is the same object for operations and for review.

The history the product records is append-only for what the platform wrote: enough to compare against reality when someone changes things outside the path. Drift work stays meaningful. Read access to audit views is role-gated like approval; a read-only responder role is not a path to apply production change by default.

How do approval controls and separation of duties work?

The sequence is propose, check, approve, then apply. Approval is where you define who can bless which environments and risk classes. In higher tiers the product enforces separation of duties: the proposer and the approver are not the same person for production when your policy says so. That is what makes the control reviewable, not a slide-only claim.

Policies can treat low-risk or sandbox work differently from protected environments. The goal is a legible record on every path, including lighter routes for speed. A break-glass path should still be describable, not a blind bypass of every control. Emergency actions can include extra logging when you allow them under policy.

Where do compliance and certifications stand?

We are an early product from a small company. We are not going to show a false SOC2 banner. As of 2026, CloudBooster does not have third-party SOC2 Type II attestation. A SOC2 program is on our roadmap with a first target in Q4 2026, subject to scope and resourcing. If your procurement needs an attestation on day one, say so and we can be clear on timelines.

What you can review today is architectural: BYOA, least-privilege integration patterns, a ChangeSet-oriented audit record, and operator practice from the TIDORA team, including EU presence and long client delivery. Many teams get comfortable on architecture and evidence before a formal attestation exists.

What risks does this threat model target?

The product is aimed at: unreviewed or unapproved change in production, unsafe generated or copy-pasted infrastructure without checks, blast radius from over-broad access, and teams that cannot reconstruct the approved state. The lifecycle, checks, approvals, and recordkeeping are the mitigations, together with BYOA so direct workload exposure sits under your control.

We do not replace network segmentation, incident response, or data classification. Full administrative access in your account can still be abused. The product tightens the common “fast path to prod” and “nobody knew that applied” failures that show up in small teams, including when AI is in the loop.

Talk through your threat model and AWS scope

If you lead security or platform, start with what you need for IAM review, data handling, and a realistic timeline for formal certifications.

Contact us

Related

Want to try a governed infrastructure path on AWS before you hire a platform team?

CloudBooster gives lean teams a governed path for creating infrastructure on AWS without needing to build a DevOps function first. We're opening a limited number of early pilot slots.