Built like a tank

Read-Only. Zero Trust.

You're handing over the keys to your house, so we made sure they only open the front door. We use strict role assumption, read-only policies, and encrypt everything.

Ironclad Encryption

Everything is encrypted at the application layer with AES-256 before it ever hits a database. Data in transit is TLS 1.3.

App-layer encryption before storage

TLS 1.3 for all data in transit

AES-256-GCM authenticated encryption

Strict key management and rotation

Keys rotated every 90 days

We Never Mutate State

GhostCost is strictly an observer. We only request an IAM Role with basic billing and metadata read permissions. Nothing more.

IAM Role with read-only scopes

STS AssumeRole + ExternalId

Temporary sessions only (max 1hr)

All API calls visible to you

Technically impossible to mutate your stack

Immutable Logs

We log every internal move we make. You can audit us anytime.

Append-only logs — tamper-proof

Every read operation is timestamped

Exportable for compliance

Real-time audit stream in app

90-day retention default

The IAM Policy

We're developers too. Here is the exact IAM policy we request. No hidden privileges.

iam-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-cur-bucket",
        "arn:aws:s3:::your-cur-bucket/*"
      ]
    }
  ]
}

Zero-Write Guarantee

Full Developer Transparency

Every read. Every scan. Logged and visible. We never have write access.

Every API call uses strict read-only IAM permissions

STS AssumeRole with ExternalId — scoped & temporary

Full CloudTrail visibility right in your own AWS account

No plaintext credentials ever stored. Zero trust.

Audit Log Stream

LIVE

02:14:33READec2:DescribeInstancesus-east-1

02:14:34READrds:DescribeDBInstancesus-east-1

02:14:34SCANs3:ListBucketsglobal

02:14:35READec2:DescribeVolumeseu-west-1

02:14:35READlambda:ListFunctionsus-east-1

02:14:36SCANghostwatch:InsightScanus-east-1

Doing things right

We hate cutting corners when it comes to security.

SOC2 Type II

In Progress

GDPR

Compliant

Data Residency

EU & US

99.9% Uptime

SLA