AssumeRole + external ID
trueno never asks for long-lived AWS keys. Each workspace generates a unique external ID. The IAM trust policy you create in your AWS account names the trueno principal and the external ID as a condition. On each scan, the platform calls sts:AssumeRole with that external ID and uses the short-lived credentials STS returns.
Read-only by design
The role attaches four AWS-managed read-only policies (SecurityAudit, ViewOnlyAccess (job-function), AWSBillingReadOnlyAccess, ComputeOptimizerReadOnlyAccess) plus a grouped inline policy covering newer services those four don't reliably reach (Inspector, Macie, Shield, WAF, Network Firewall, Glue, Athena, MSK, OpenSearch, Step Functions, Backup, FSx, Global Accelerator). Every action is list/describe/get of configuration metadata. The trueno SDK code never invokes a write API. Revoking access is a one-step IAM-role deletion in your AWS console.
Server-side AWS SDK
Every file that imports @aws-sdk/* begins with import "server-only". This guarantees SDK code cannot accidentally end up in a client bundle, and the build fails if a regression tries to leak it.