Skip to main content
To provide the ZapStack service we require tightly scoped, read-only access to your AWS environment. This allows us to scan your resources, collect metadata, and analyze configurations to identify waste.
ZapStack does not have permissions to access the contents of your data stored in S3 buckets, database records, or volumes.We only have permissions to view resource metadata and configurations.

Data processing and storage

ZapStack is the only processor of customer AWS data. There are no sub-processors. ZapStack does not persist any personally identifiable information (e.g. names, email addresses, IP addresses) that your applications or AWS writes to CloudTrail, CloudWatch, or any other AWS service. The only AWS data from customer environments that ZapStack persists is resource metadata (e.g. instance ID, instance type, etc) and metric data (e.g. resource utilization) - this data enables us to provide our service.

Setup

ZapStack uses two CloudFormation templates to set up read-only access to your AWS environment. These templates are deployed automatically when you connect your AWS account through the ZapStack dashboard.

How the templates work together

1

Management account deployment

You deploy v1.yaml to your AWS Organizations management account. This creates an IAM role, sets up Cost and Usage Reports (CUR), and creates a StackSet.
2

Automatic member account deployment

The StackSet automatically deploys v1-member.yaml to all existing and future member accounts in your Organization.
3

ZapStack notification

Both templates notify ZapStack when deployment completes. ZapStack then begins scanning your resources.

Management account template (v1.yaml)

This template is deployed to your AWS Organizations management account. It creates:
  • An S3 bucket for Cost and Usage Reports (CUR)
  • CUR configuration with hourly billing reports
  • IAM role (ZapStackCrossAccountRole) with read-only permissions
  • StackSet to auto-deploy member account roles
  • Lambda function to retrieve Organization root ID
  • SNS notification to alert ZapStack when setup completes

Download v1.yaml

Download the management account template

Member account template (v1-member.yaml)

This template is automatically deployed to all member accounts via the StackSet created by v1.yaml. You do not need to deploy this manually. It creates:
  • IAM role (ZapStackCrossAccountRole) with read-only permissions
  • SNS notification to alert ZapStack when the account is onboarded
Member accounts do not have CUR or billing API access — all billing data is centralized in the management account.

Download v1-member.yaml

Download the member account template

IAM permissions summary

Both templates use the AWS managed policy ViewOnlyAccess plus additional inline policies for complete resource coverage.
Permission categoryManagement accountMember accountsPurpose
ViewOnlyAccessYesYesBroad read-only access to AWS services
Billing & Cost ExplorerYesYesRead cost data and budgets
CUR bucket accessYesNoRead Cost and Usage Reports
CloudWatch metricsYesYesResource utilization analysis
S3 multipart uploadsYesYesDetect abandoned uploads
StackSet managementYesNoDeploy member account roles
Extended resource inventoryYesYes100+ additional read-only permissions

Security features

  • ExternalId protection: Prevents confused deputy attacks by requiring a unique tenant ID
  • Read-only access: No permissions to modify, create, or delete resources
  • No data access: Cannot read contents of S3 objects, databases, or volumes
  • Revocable: Delete the CloudFormation stack to immediately revoke access

Trust policy

The CloudFormation templates configure the following trust policy on the IAM role. This is shown here for reference. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::964607248450:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_ZAPSTACK_TENANT_ID"
        }
      }
    }
  ]
}