Skip to main content

Architecture

ZapStack consists of two main components:
  1. Web Application - Dashboard for viewing findings and managing accounts
  2. Analyser - Scanning engine that connects to your AWS accounts
┌─────────────────┐      ┌─────────────────┐
│   ZapStack      │      │  Your AWS       │
│   Dashboard     │◄────►│  Account        │
└────────┬────────┘      └────────┬────────┘
         │                        │
         │                        │
         ▼                        ▼
┌─────────────────┐      ┌─────────────────┐
│   ZapStack      │─────►│  IAM Role       │
│   Analyser      │      │  (Read-Only)    │
└─────────────────┘      └─────────────────

Analyser

The analyser is a Go-based scanning engine that:
  • Connects to AWS using cross-account IAM roles
  • Runs 50+ checks across multiple AWS services
  • Supports scanning multiple regions in parallel
  • Generates structured findings

Supported AWS Services

ZapStack currently scans the following services:
ServiceCheck Types
EC2Idle instances, unused volumes, unattached IPs
EBSGP2 volumes, unattached volumes, old snapshots
RDSIdle databases, storage optimization
DynamoDBIdle tables, capacity optimization
LambdaUnused functions, memory optimization
S3Incomplete multipart uploads, lifecycle policies
ELBIdle load balancers, unused target groups
Security GroupsUnused groups, overly permissive rules

Data Handling

ZapStack only reads metadata about your AWS resources. We:
  • Do read resource configurations, tags, and CloudWatch metrics
  • Do not access data stored in your resources (S3 objects, database contents, etc.)
  • Do not store AWS credentials
  • Do not make any changes to your infrastructure