Security

Read-only. And nothing else.

You connect Signal with a read-only IAM role. We see what you pay for. We touch nothing until you click. You revoke us anytime from your AWS console.

TL;DR

→We ask for read-only permissions. The full IAM policy is below, no asterisks.
→We don’t read content — not S3, not databases, not logs. Just metadata + costs.
→You revoke us in 10 seconds from the AWS console. No paperwork.

The full policy

This is exactly what we ask for.

No write wildcards, no S3 content access, no IAM, no billing beyond Cost Explorer.

signal-readonly.policy.json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ce:Get*",
      "cloudwatch:Get*",
      "cloudwatch:List*",
      "ec2:Describe*",
      "rds:Describe*",
      "elasticloadbalancing:Describe*",
      "logs:Describe*",
      "s3:ListAllMyBuckets",
      "s3:GetBucketLocation"
    ],
    "Resource": "*"
  }]
}

If that looks right, you add the role with a 12-line CloudFormation template. Nothing else needed.

What we do

→We read resource metadata: name, type, size, creation date, usage metrics.
→We read Cost Explorer to map each resource to its monthly cost.
→We detect waste patterns (idle, oversized, no traffic, infinite retention).

What we DON’T do

✕Contents of your S3 buckets. We list names and regions; we never open an object.
✕Database data (RDS / DynamoDB). Only metadata: size, instance class, metrics.
✕IAM permissions. We can’t create roles, users, or modify policies.
✕Background jobs. Every delete goes through your click.

How we delete (when you approve)

If you upgrade from the read-only role to one with delete permissions, each action runs one at a time with your explicit OK. Snapshot first where applicable (EBS, RDS), dependencies checked (an attached EBS won’t be deleted). If your infra is IaC, we generate a Terraform PR.

On our servers

Your data on Signal

We store

AWS account ID
IAM role ARN
Last-scan findings (ID, type, estimated cost)

We don’t store

Credentials (we use AssumeRole with temporary tokens)
Contents of your resources
Raw historical metrics

Encryption

At rest: AES-256
In transit: TLS 1.2+
Deleted within 30 days on cancellation

How to revoke us

Four steps. Takes under a minute.

1
AWS Console → IAM → Roles
2
Find the Signal role
3
Click Delete (10 seconds)
4
Delete your Signal account in-app or by email

Want us to delete it on our side too? Email signalfinops@gmail.com.

Compliance

Current status

In audit

SOC 2 Type II

Report expected Q3 2026.

Compliant

GDPR

Data processor. We sign a DPA on request.

Registered

Ley 25.326 (AR)

Registered data controller with AAIP.

Found something?

Security reports answered within 24h. Responsible disclosure appreciated — a Signal T-shirt goes to the first person who reports something serious.

signalfinops@gmail.com