Security is the product.
Crewlo is built around three tiers of access. You opt into each one. The default tier cannot mutate your account — not by design, by IAM policy.
Three tiers of access. You opt into each one.
A company’s cloud is sacred. Crewlo is built so that the only way to make a write happen is for a human to approve it with elevated, time-bounded credentials.
No approval needed
- Crewlo assumes a CloudFormation-provisioned IAM role you create on day one. The role can ONLY call Describe / List / Get APIs.
- We physically cannot mutate state with this role. The IAM policy doesn’t grant any write permissions, so an escalation bug here is impossible.
- Every API call is logged with timestamp, ARN, action, and the agent that requested it. Exportable to your SIEM.
Human reviews before any action
- Findings (cost, security, posture) are presented as a plan, never executed automatically.
- Each recommendation includes the proposed Terraform diff, the blast radius, and a generated rollback path — before you click anything.
- If you never escalate to Tier 3, Crewlo will only ever read your account. Recommendations are useful on their own.
Separate role + approval + 15-min credentials + rollback
- Tier 3 uses a SEPARATE IAM role you create only when you want to apply changes. The default read-only role cannot be escalated.
- Every apply runs `terraform plan` first — you see the exact diff and blast radius before approval.
- Write credentials are minted via STS with a 15-minute TTL. The token is gone before you finish reading this sentence.
- A rollback plan is generated BEFORE the apply runs. If anything looks off mid-flight, one click reverses it.
Concrete commitments, not marketing bullets.
Every item below maps to an enforcement point in the platform. Ask us for the architecture diagram if you want to see exactly where each control lives.
Crewlo connects via a role provisioned by a CloudFormation template you apply to your account. The trust policy is scoped to our principal with an External ID. You can detach the role any time; access stops the same second.
Timestamp, AWS API action, resource ARN, response status, requesting agent, and authorizing user. Append-only, immutable, exportable to your SIEM. You can review every call we have ever made on your behalf.
The default read-only role cannot be escalated. To apply changes you create a separate IAM role with write permissions, and only when you actually want to remediate something. Detach it whenever you want.
Tier-3 writes don't run with long-lived keys. Crewlo mints scoped, time-bounded credentials via AWS STS that expire 15 minutes after they're issued. The token is gone before you finish reading this sentence.
Every change is rendered as a Terraform plan first. You see the exact diff and the blast radius (which resources, which AZs, which dependents) before you can click approve. No silent edits, ever.
Before an apply runs, Crewlo generates the inverse plan. If anything looks off mid-flight or the change misbehaves, one click reverses it. We don't ship a remediation feature without its rollback.
We’d rather be early and honest than late and vague.
Crewlo is in active development. Here’s what we don’t have today, and where we’re heading.
If you believe you’ve found a vulnerability in Crewlo, please email security@crewlo.dev with a description of the issue and, if possible, a proof of concept. We’ll acknowledge within one business day.
We follow responsible disclosure: we’ll work with you on a coordinated timeline, credit you publicly if you want to be credited, and we won’t take legal action against good-faith security research. Please give us a reasonable window to fix before disclosing.
For urgent issues affecting customer cloud accounts, mark the subject line with [URGENT].