Cloudryption
Log in Book a Demo

Connector Permissions

Read-only access designed for evidence collection

Cloudryption connectors are designed to collect only the metadata needed to model cloud risk, identity exposure, data posture, reachability, and remediation impact.

Book a DemoTrust Center

Access model

Standard Cloudryption onboarding uses customer-created, scoped, read-only access. Write permissions are not required for standard inventory, graph building, attack path analysis, reporting, or CID recommendations.

ProviderAccess typePurposeWrite access?
AWSRead-only IAM role or equivalent scoped roleInventory, IAM, network, storage, compute, security findings, and relationship metadataNo for standard discovery
AzureReader-style scoped access plus security-reader style permissions where approvedSubscriptions, resources, identities, role assignments, NSGs, data stores, posture signalsNo for standard discovery
GCPViewer/security-reviewer style scoped service account where approvedProjects, IAM bindings, compute, storage, networks, logging/security posture signalsNo for standard discovery
KubernetesRead-only cluster role where enabledCluster inventory, namespaces, workloads, service exposure, RBAC, and configuration contextNo for standard discovery

Collection categories

  • Asset inventory — resources, regions, accounts/projects/subscriptions, tags, states, and ownership metadata.
  • Identity and access — users, roles, service accounts, policies, bindings, group relationships, and privilege indicators.
  • Network reachability — VPC/VNet/VPC Network topology, subnets, routes, public exposure, firewall and security-group rules.
  • Data posture — buckets, databases, warehouses, encryption posture, public access, backup/logging signals, and sensitivity hints.
  • Security findings — provider-native security findings and vulnerability metadata where available and authorized.

What Cloudryption does not need for standard discovery

  • Administrative write access.
  • Access to raw customer database records.
  • Access to application source code.
  • Access to secrets or private keys.
  • Packet capture or runtime process telemetry.

Customer control

Customers can limit Cloudryption by provider, account, project, subscription, region, environment, and module. Permission scope can be reviewed before onboarding and reduced when a module is not required.

Need this in your enterprise security review?

Cloudryption can provide a security packet, technical walkthrough, and pilot evidence pack for your evaluation process.

Request Security PacketBack to Trust Center