Two roles, two responsibilities
| Role | Required | Responsibility |
|---|---|---|
wasteless-readonly | Yes | Describe, Get and List for collection and detection |
wasteless-remediation | No | AWS actions explicitly allowed by policy |
Writes fail if
AWS_WRITE_ROLE_ARNis not configured.STS sessions are temporary and identifiable in CloudTrail.
ExternalId is recommended when the caller is in another account.
Source credentials follow the standard AWS chain and only need permission to assume the roles.
Controls fit the action path
Dry-run is on by default and auto-remediation is off by default. Whitelists, confidence, allowed schedules, rate limits and resource preconditions complete the policy depending on action type.
| Action | Execution | Recovery |
|---|---|---|
| Stop EC2 | Direct AWS | Can be started again |
| Terminate EC2 | Direct AWS | Destructive |
| Delete EBS | Snapshot-first remediator | Manual recreation from snapshot |
| Migrate gp2 to gp3 | Remediator | No automatic rollback |
| Delete NAT or load balancer | Remediator | Destructive |
| Downsize, snapshot, EIP, VPC | Manual | Depends on external runbook |
Data, audit and the LLM layer
Inventory, recommendations and history remain in your self-hosted PostgreSQL.
Actions and state changes feed an audit trail.
The LLM is optional, called through LiteLLM and never decides, authorizes or executes an action.
A hosted model receives prompt context. Ollama can keep processing local when that fits your policy.
Protect the UI in production
- Ports 8888 and 5432 not exposed
- Valid TLS and tested access control
- Remediation role absent when unnecessary
- Auto-remediation off during evaluation
- Steampipe aligned to the read-only role
- Secrets outside Git with restricted permissions
- CloudTrail and Wasteless logs retained according to policy
Responsibility boundary
| Wasteless provides | Your team configures |
|---|---|
| Separated roles and fail-closed writes | Trusted principal, ExternalId and IAM scope |
| Dry-run and action policies | Enabled actions, whitelist, schedules and thresholds |
| Application audit history | Retention, backups, access and CloudTrail correlation |
| Loopback binding by default | Proxy, authentication, VPN, TLS and firewall |