Trust and control

Detect read-only, authorize action separately

Wasteless separates AWS observation from remediation. This boundary limits authority during evaluation and makes every access expansion explicit.

Verified against the product code11 minCloud security and CTOs

Two roles, two responsibilities

RoleRequiredResponsibility
wasteless-readonlyYesDescribe, Get and List for collection and detection
wasteless-remediationNoAWS actions explicitly allowed by policy
  • Writes fail if AWS_WRITE_ROLE_ARN is not configured.

  • STS sessions are temporary and identifiable in CloudTrail.

  • ExternalId is recommended when the caller is in another account.

  • Source credentials follow the standard AWS chain and only need permission to assume the roles.

Controls fit the action path

Dry-run is on by default and auto-remediation is off by default. Whitelists, confidence, allowed schedules, rate limits and resource preconditions complete the policy depending on action type.

ActionExecutionRecovery
Stop EC2Direct AWSCan be started again
Terminate EC2Direct AWSDestructive
Delete EBSSnapshot-first remediatorManual recreation from snapshot
Migrate gp2 to gp3RemediatorNo automatic rollback
Delete NAT or load balancerRemediatorDestructive
Downsize, snapshot, EIP, VPCManualDepends on external runbook

Data, audit and the LLM layer

  • Inventory, recommendations and history remain in your self-hosted PostgreSQL.

  • Actions and state changes feed an audit trail.

  • The LLM is optional, called through LiteLLM and never decides, authorizes or executes an action.

  • A hosted model receives prompt context. Ollama can keep processing local when that fits your policy.

Protect the UI in production

  • Ports 8888 and 5432 not exposed
  • Valid TLS and tested access control
  • Remediation role absent when unnecessary
  • Auto-remediation off during evaluation
  • Steampipe aligned to the read-only role
  • Secrets outside Git with restricted permissions
  • CloudTrail and Wasteless logs retained according to policy

Responsibility boundary

Wasteless providesYour team configures
Separated roles and fail-closed writesTrusted principal, ExternalId and IAM scope
Dry-run and action policiesEnabled actions, whitelist, schedules and thresholds
Application audit historyRetention, backups, access and CloudTrail correlation
Loopback binding by defaultProxy, authentication, VPN, TLS and firewall
View source on GitHub