Docs

Connect AWS. Run your first scan.

Follow the in-app workflow to create a read-only role, connect an AWS account, and review your first infrastructure findings.

01 · Getting started

Every step happens inside the dashboard.

The in-app onboarding generates workspace-specific values (external ID, IAM trust JSON) so they stay in sync with what the platform expects. We don't reproduce those values here.

01

Create your account

Start free in under a minute. No card, no demo gating. Your workspace is provisioned the moment you confirm your email.
Start Free
02

Land in your workspace

Your first workspace is created on first sign-in. The dashboard opens to the Overview surface, which guides you through the next four onboarding milestones.
Open the dashboard
03

Connect an AWS account

Inside the dashboard, the onboarding hero walks you through the read-only AssumeRole setup. The flow generates your workspace's external ID, lists the exact AWS-managed read-only policies to attach, and verifies the trust relationship before saving the account.
Open the connect flow
04

Run your first scan

Once the account is connected, run an inventory scan from /dashboard/cost-analyzer or /dashboard/resource-inventory. The scan enqueues a job; the async processor picks it up and writes findings + resource snapshots to your workspace.
Cost Analyzer
05

Review findings

Open /dashboard/findings. Each row shows severity, lifecycle state (Detected / Assigned / Ignored / Resolved), the affected resource, and inline actions. Click into a resource to see all findings + recommendations against it.
Open findings
06

Assign and resolve

Use the lifecycle controls inline on each finding row to mark it Resolved or Ignored. Assignments, comments, and the workspace activity feed close the remediation loop.
Open assignments
02 · Using modules

Eight cloud intelligence modules.

Each module is a dedicated dashboard page with its own findings, recommendations, scan freshness, and a Run scan action.

Resource Inventory

Search every AWS resource across accounts and regions. Drill into a resource for tags, findings, recommendations, and change history.
Open in dashboard

Cost Analyzer

Spend by service and account, top savings opportunities, anomalies, and exports. Apply filters or run a fresh scan from the module page.
Open in dashboard

Identity & Access

Risky IAM, stale access keys, KMS, secrets, and policy posture. Findings carry severity and remediation guidance.
Open in dashboard

Network Exposure

Public routes, internet-facing resources, DNS exposure, and edge-protection coverage across accounts.
Open in dashboard

Containers & Serverless

ECS, EKS, ECR, Lambda, DynamoDB, API Gateway, queues, and orchestration findings grouped by workload.
Open in dashboard

Audit & Compliance

CloudTrail, AWS Config, AWS Backup, and native AWS security signals (Security Hub, GuardDuty, Inspector, Macie on Enterprise).
Open in dashboard

Operations & Reliability

Alarms, log groups, backup health, target health, and failed workflows across your fleet.
Open in dashboard

Enterprise Intelligence

Organization-wide visibility, native security integrations, edge protection, and data-platform coverage.
Open in dashboard
03 · Cost Analyzer in depth

Filter, export, and understand savings.

The Cost Analyzer page combines spend visualization, findings, and exports. Filters live in the URL so a view is shareable.

Filtering cost findings

Open the Filters menu in /dashboard/cost-analyzer to filter by severity, status, AWS account, region, search query, and minimum monthly savings. Filters are URL-driven so the view is shareable.

Exporting CSV

Use Export → Export filtered cost findings as CSV to download the currently visible findings as a spreadsheet.

Exporting PDF savings reports

Use Export → Export savings report as PDF to generate a printable summary with top services, top accounts, and the highest-impact opportunities.

Understanding estimated savings

Every savings figure is an estimate — treat it as a directional ceiling. Rightsizing and Cost Optimization Hub figures come from AWS's own recommendation APIs; unattached-EBS and idle-NAT figures use standard published list prices (not your region-specific or negotiated rates), so actual savings depend on your pricing and on cleanly removing or rightsizing the resource.

Budgets, Reserved Instances, Savings Plans, Cost Optimization Hub

Cost Analyzer reads from Cost Explorer (spend + rightsizing recommendations), AWS Budgets (flags accounts with none configured), Reserved Instance expirations, Savings Plans utilization, and Cost Optimization Hub. Findings from these combine with the unattached-EBS, idle-NAT, and cost-concentration checks into one ranked list.
04 · Automation

Turn findings into workflows.

Open /dashboard/automation to schedule recurring scans, refresh recommendations, alert teammates, and run cleanup sweeps.

Scheduled scans

Run inventory and cost scans on a daily, weekly, or monthly cadence. Defaults are provisioned the moment you connect an AWS account.

Critical finding alerts

Refresh recommendations on a tight cadence so newly-detected critical findings are surfaced within minutes.

Cost anomaly alerts

Compare current spend against your recent baseline and open anomalies when something spikes.

Weekly executive reports

Roll up trends, savings, and findings into a digest your stakeholders read on Monday morning.

Auto-assign findings

Route new work to owners by severity, service, account, or module.

Cleanup reminders

Surface unattached EBS, idle NAT gateways, old access keys, and unused load balancers so they don't accumulate.
05 · Plans and limits

Scan limits, account limits, retention by plan.

Module access, scan volume, account count, seat count, and history retention vary by plan. The pricing page has the full comparison table.

Free

1 AWS account, 1 seat, 1 scan/day, 7 days of findings history. Resource Inventory and a lite version of Cost Analyzer.

Command

Up to 5 connected AWS accounts, unlimited paid seats, unlimited scans, 90 days of history. Adds Network Exposure, Containers & Serverless, basic automation, CSV exports, and saved views.

Control

Up to 15 connected AWS accounts, unlimited paid seats, unlimited scans, unlimited history. Adds Identity & Access, Audit & Compliance, Operations & Reliability, advanced automation, alerts, cross-account intelligence, executive reporting, and priority support.

Enterprise

Custom accounts, custom seats, custom scan volume, custom retention. Adds Enterprise Intelligence (AWS Organizations, native security integrations, data-platform coverage), dedicated support, and SLA options. SSO/SAML is available by arrangement (roadmap).
06 · Security model

Read-only, externally gated, and revocable.

Security details live on the dedicated security page. The high-level model is summarized here.

Read-only AWS access

trueno never asks for AWS access keys. The role you create in your AWS account attaches AWS-managed read-only policies only.

STS AssumeRole + external ID

Each workspace generates a unique external ID. AssumeRole calls are gated on this external ID so the confused-deputy pattern is defeated at the AWS layer.

Server-side AWS SDK

AWS SDK code runs server-side only. The build blocks any regression that would leak AWS SDK code into a client bundle.

Revoking access

Delete the IAM role you created in AWS and AssumeRole calls return AccessDenied immediately. You don't need to file a support request to disconnect.
07 · IAM & permissions

What trueno can see, and how to scope it.

A read-only, externally gated role; the exact policy JSON + external ID live in the in-product connect flow (single source of truth).

A role, never access keys

You create one IAM role in your account with a trust policy that lets trueno's AWS principal assume it. trueno calls STS AssumeRole at scan time for short-lived credentials. There are no long-lived keys to leak or rotate.

AWS-managed read-only policies

The role attaches AWS-managed read-only policies (e.g. SecurityAudit + ViewOnlyAccess) plus a small grouped inline policy for a few list/describe actions those don't cover. No write, no data-plane read (no S3 object contents, no DB rows), only configuration metadata.

The external-ID handshake

Your workspace generates a unique external ID. The role's trust policy requires it on every AssumeRole, which defeats the confused-deputy problem: another trueno tenant can't trick AWS into assuming your role.

Verified before it's saved

On connect, trueno runs per-check diagnostics: it confirms the role assumes, that GetCallerIdentity returns your account, and that key read permissions resolve. The account isn't marked connected until these pass.

Per-module data sources

Each module reads specific services: Identity & Access reads IAM/KMS/Secrets; Network Exposure reads VPC/EC2/ELB; Cost Analyzer reads Cost Explorer/Budgets/Savings Plans; and so on. The read-only policy set covers all of them.

Coverage + closing permission gaps

If the role can't reach a service, the scan records it as a permission gap instead of failing silently. The in-product Coverage page surfaces a coverage-confidence score and the exact IAM actions to add, so you can run least-privilege and widen only where needed.
08 · Integrations

Connect Slack, on-call, ticketing, and the API.

Route alerts to Slack (channel + 1:1 DM), page PagerDuty/Opsgenie on SEV1, file findings as GitHub/Jira/Linear tickets, and pull data out via the public REST API + webhooks. Step-by-step setup for each lives in the integrations guide.

Integration setup guide

Slack channel alerts + bot-token DMs, PagerDuty/Opsgenie keys, GitHub/Jira/Linear tokens, API keys, and signed webhooks, with the exact scopes and where to find each value.
Open the integrations guide

API reference

Read-only REST over findings, recommendations, resources, and accounts. Bearer-key auth, endpoints, response schemas, webhooks, and the OpenAPI 3.1 spec: the full reference.
Open the API reference
Support

Need help?

Best-effort across all tiers; priority support on Control. The support page lists what to include in a request and how to reach real engineers.

Stuck in the workflow?

Start a free workspace and follow the inline guidance, or open support with your workspace id + the step you're on. We don't gate first-scan questions behind a paid tier.