Security & Trust

How GhostHunter protects your AWS account

We know you're trusting us with access to your cloud infrastructure. GhostHunter enforces physical, cryptographic isolation across separate authorization phases—ensuring you always control your perimeter.

The short version

No static credentials stored — GhostHunter never asks for, processes, or stores raw AWS Access Keys or Secrets.
Cross-account IAM via AssumeRole — Access is granted entirely via secure IAM cross-account handshakes. Revoke instantly at any time from your own console.
Isolated 2-Phase Flow — Initial onboarding is restricted to a 100% Read-Only Sandbox role. Deletion capabilities are physically impossible until you opt-in.
Targeted Purging Upgrades — Remediation updates require an intentional, separate CloudFormation change. GhostHunter can only interact with resource types you explicitly approve.
Sensitive data encrypted at rest — All architecture configurations, Role ARNs, and integration hooks are encrypted using AES-256-GCM before writing to storage.
ExternalID handshake protection — Every organization handshake is protected by a unique ExternalID to prevent cross-tenant Confused Deputy compromises.
🔑

AWS Access Model

GhostHunter uses the formal AWS cross-account IAM AssumeRole pattern — the standard, modern approach approved by enterprise infrastructure reviewers for third-party orchestration.

You create an initial IAM role in your AWS account using our provided CloudFormation template. That template creates a role with an explicit trust policy that allows *only* GhostHunter's verified broker account to assume it, bounded tightly via a unique ExternalID generated for your team.

The ExternalID protects your environment from the confused deputy security challenge — ensuring that even if our broker account ID were public knowledge, an external attacker could never authenticate against your infrastructure without matching your exact organization key.

# IAM trust policy configuration

{

"Principal": {"AWS": "arn:aws:iam::<GhostHunter-account>:root"},

"Action": "sts:AssumeRole",

"Condition": {

"StringEquals": {"sts:ExternalId": "<your-unique-external-id>"}

}

}

You remain the absolute owner of the integration. Access can be immediately severed at any moment by simply deleting the IAM role from your local AWS Console.

🔒

Phase 1 Boundaries (Core Scanning)

Explicitly Allowed

  • ec2:Describe* (Volumes, Snapshots, Elastic IPs)
  • rds:Describe* (DB Instances, Clusters)
  • elasticloadbalancing:Describe*
  • s3:ListBuckets, GetBucketLocation, ListMultipartUploads
  • lambda:ListFunctions, GetFunction
  • cloudwatch:GetMetricStatistics
  • logs:DescribeLogGroups
  • sts:GetCallerIdentity (For initial validation)

Cryptographically Blocked

  • ec2:Delete* / rds:Delete* (Physically absent)
  • Create or modify operational architecture
  • Inspect or pull raw EC2 disk volumes
  • Read payload contents of S3 objects
  • Access AWS Secrets Manager or Parameter Store
  • Query account billing or cost tables
  • Modify active IAM roles, users, or permissions
  • Traverse into unlinked tenant environments

The Phase 1 onboarding template acts as a zero-risk sandbox. GhostHunter physically lacks the structural authorization to drop a single resource or edit a configuration line item while on Phase 1 controls.

🗄️

Data & storage security

GhostHunter indexes optimization metadata about your isolated assets — raw resource IDs, region strings, and running run-rate costs — but never indexes internal storage contents.

Sensitive architecture metrics are cryptographically processed at rest using AES-256-GCM prior to hitting our data layer. Decryption tokens are isolated outside the global database network context, ensuring raw metadata strings are never visible in plaintext.

Invite records sent over corporate mail tracks are stored using SHA-256 secure hashing. The underlying connection payload resides uniquely in your temporary registration thread and is never hard-saved to database clusters.

🛡️

Phase 2: Opt-In Remediations

When you transition from identifying waste to actively cleaning your perimeter, GhostHunter upgrades security safeguards to protect production environments from erratic changes.

  • Intentional Stack Upgrades: Introducing write capabilities requires an explicit, separate CloudFormation stack update. You control the exact remediation boundaries.
  • Simulated Dry-Runs First: Every elimination workflow runs a live mock execution loop first, allowing you to visually review the specific targets prior to confirmation.
  • Narrow Mutator Scoping: Upgrade templates do not ask for structural administrative access. If you only approve purging detached EBS volumes, the policy blocks instance interaction entirely.
  • Immutable Audit Feeds: Every purge query, user confirmation, or failure block is written to an immutable internal audit tracker mapped directly to individual engineer IDs.
Phase 1

Core Assessment Template

Deploys a strict, 100% read-only cross-account audit role. Zero mutation footprint. Perfect for initial analysis and security audits.

Download Scan Template (YAML)
Phase 2

Targeted Purge Upgrade

Introduces surgical, item-specific deletion actions matching confirmed leaks. Deploys only when you decide to unlock autonomous cleanups.

Download Purge Template (YAML)

Ready to start finding waste in your AWS account?

Get Started — Free