Skip to content

Access Model

LightPane uses read-only access to discover your cloud infrastructure. It never creates, modifies, or deletes resources in your cloud accounts.

Read-only by design

Every cloud provider connection uses the provider's own read-only mechanisms:

Provider Mechanism Permission level
AWS Cross-account IAM role with SecurityAudit managed policy Read-only: Get*, List*, Describe* across 40+ services
GCP Service account with roles/viewer via Workload Identity Federation Read-only: list and get operations across all services
Azure Service Principal with Reader role Read-only: list and read operations across subscription resources

What LightPane can see

LightPane discovers resource configuration and metadata:

  • Resource names, IDs, and identifiers
  • Configuration settings (instance types, storage classes, encryption settings)
  • Status and state (running, stopped, active, pending)
  • Network configuration (VPCs, subnets, security groups, IPs)
  • Tags and labels
  • Creation dates and modification timestamps
  • CloudWatch alarm states
  • IAM configuration (users, roles, policies)

What LightPane cannot do

LightPane cannot:

  • Read the contents of S3 objects, storage blobs, or any data files
  • Read database contents (RDS, DynamoDB, Cloud SQL, Cosmos DB)
  • Read secrets or parameter values (Secrets Manager, SSM Parameter Store, Key Vault)
  • Modify any resource in any way
  • Create new resources
  • Delete anything
  • Access the AWS/GCP/Azure management console on your behalf
  • Access other accounts that you have not explicitly linked

SecurityAudit does not include s3:GetObject

The AWS SecurityAudit policy lets LightPane list your S3 buckets and their configuration (versioning, encryption, lifecycle rules). It does not grant s3:GetObject, so LightPane cannot read the files inside your buckets.

Temporary credentials

LightPane never stores long-lived cloud credentials (with the exception of GCP service account keys, when used as a fallback):

  • AWS: STS AssumeRole returns temporary credentials that expire in 1 hour
  • GCP (WIF): Workload Identity Federation produces tokens that expire in 1 hour
  • GCP (SA key): The key is stored encrypted, but the recommended WIF approach avoids this entirely

No credentials are cached between requests. Each discovery request obtains fresh temporary credentials.

Customer control

You control access at every level:

  • Grant access: Deploy a CloudFormation template, run a Cloud Shell script, or create a Service Principal
  • Scope access: Choose which accounts, projects, or subscriptions to link
  • Audit access: All LightPane API calls appear in your CloudTrail, Cloud Audit Logs, or Azure Activity Log
  • Revoke access: Delete the IAM role, service account, or Service Principal at any time — access stops immediately

No agent, no installation

LightPane does not install software in your cloud account. There is no agent, daemon, sidecar, or background process running in your environment. All discovery happens via API calls from the LightPane platform to your cloud provider's APIs.