fegura.ai
...
Zero Footprint

Zero Footprint Security

No agents. No infrastructure in your account. No long-lived credentials.Connect in minutes, revoke instantly.

How It Works

1

Deploy a CloudFormation stack

One click creates a read-only IAM role in your account. Nothing else — no agents, no sidecars, no infrastructure.

2

We assume the role via STS

Temporary credentials issued by AWS, valid for one session. We never store or persist them.

3

Read-only scan

We read resource metadata — the same information visible in the AWS Console. No data, no secrets, no logs.

4

Revoke anytime

Delete the CloudFormation stack and access is gone instantly. No cleanup, no lingering credentials.

Exact Permissions

The IAM role uses the AWS-managed ViewOnlyAccess policy plus two S3 permissions. That's it.

ViewOnlyAccess (AWS-managed)

Describe*, List*, Get* across AWS services. The same read-only view as your AWS Console.

s3:GetBucketLocation

Read which region a bucket lives in — needed to map bucket→region relationships.

s3:GetBucketTagging

Read bucket tags — needed to detect cost allocation and environment labels.

Every permission is Describe*, List*, Get* — all read-only. No Create, Put, Delete, or Update.

What We Don't Access

  • No credentials or secrets (SSM SecureString, Secrets Manager values)
  • No database contents (RDS data, DynamoDB items)
  • No S3 object data (we read bucket metadata only)
  • No application logs or CloudWatch log contents
  • No ability to create, modify, or delete any resource

We only read resource metadata — the same information visible in the AWS Console resource lists.

Data Handling

  • Encrypted at rest — All data stored in DynamoDB with AWS-managed encryption
  • Encrypted in transit — All API communication over TLS 1.2+
  • Metadata only — We store resource types, names, relationships, and configuration metadata. Never application data.
  • Isolated per workspace — Data is logically separated by workspace and AWS account

External ID & Confused Deputy Protection

Every Fegura installation gets a unique external ID baked into the IAM trust policy. This prevents confused deputy attacks — no other service or customer can assume your role, even if they know the role ARN.

The IAM role name itself is unique per installation (FeguraRole-{externalId}), so reconnecting never conflicts with a previous setup.

Infrastructure

  • Hosted on AWS (us-east-1)
  • Serverless architecture — AWS Lambda + DynamoDB
  • No persistent servers or VMs to patch
  • API served via AWS API Gateway with TLS

Authentication

  • Sign in via Google OAuth — we never see or store your password
  • Sessions managed via secure, HttpOnly cookies
  • API keys are hashed before storage

Responsible Disclosure

If you discover a security vulnerability, please report it to security@fegura.ai. We take all reports seriously and will respond within 48 hours.