Security

Exactly what we access.
Nothing more.

We built ThinCost for developers who read fine print. So here it is, in full.

How data flows

1

Your AWS account

Cost Explorer API — the same API you'd call manually to view your bill.

2

Read-only IAM role

Created by you, in your account, via CloudFormation. You own it and can delete it at any time.

3

ThinCost pulls cost data

Once per week (Monday mornings). We call GetCostAndUsage and GetCostAndUsagePremium. That's it.

4

Analysis runs

We compute anomalies and savings opportunities from the cost numbers.

5

Report lands in your inbox

Plain-English summary, sent to the email you registered with.

What we access

Cost Explorer — GetCostAndUsage

Monthly spend totals by service. The same view as your AWS billing console.

Cost Explorer — GetCostAndUsagePremium

Service-level breakdown for the current and previous month. Used to detect anomalies.

STS — AssumeRole

Used to temporarily assume your read-only role when we pull your data. No long-lived credentials.

What we never access

Your EC2 instances, RDS databases, S3 buckets

We have no IAM permissions to read or modify any compute or storage resources.

Your application data or logs

No CloudWatch, no CloudTrail read access, no access to anything your application stores.

Your IAM users or policies

We cannot create, modify, or read other IAM principals in your account.

Your VPC, networking, or security groups

We cannot see or touch your network configuration.

What we store

We store the following in our database (Supabase, hosted on AWS):

  • Your email address
  • Your AWS account ID (12-digit number — not secret)
  • The ARN of the read-only IAM role you created
  • Aggregated cost totals by month and service (dollar amounts, not raw billing records)
  • Generated reports — the plain-English analysis we sent you

We do not store raw AWS billing data, detailed usage records, or any resource-level data from your account.

The IAM role ThinCost uses

The CloudFormation template creates a role with exactly two permissions:

ce:GetCostAndUsage

ce:GetCostAndUsagePremium

The role uses an ExternalId condition — it can only be assumed by ThinCost using your specific account token. No other party can assume it, even if they know the ARN.

You can delete the CloudFormation stack at any time to immediately revoke all access. No support ticket needed — it takes about 30 seconds.

View the full CloudFormation template on GitHub →

Questions?

Email us at hello@thincost.com. We'll respond with specifics, not marketing copy.