Integration security
Our integration with your AWS environment relies on a secure cross-account IAM role that you deploy.- Cross-Account IAM Role: Resides within your AWS management account.
- Unique External ID: The role’s trust policy includes a unique external ID known only to Milkstraw.ai, preventing confused-deputy attacks and verifying the call origin.
- Temporary Credentials: We utilize temporary AWS STS credentials for each API call, avoiding the use of long-lived access keys.
Transfer security
Onboarding and offboarding (accounts with savings) are managed through secure, controlled steps.- Invite-Only: You initiate the transfer by creating an AWS Organizations invite for each milkbox account we provide.
- Single-Action Acceptance: Milkstraw AI accepts the invite from within the milkbox account; no other permissions are exchanged.
- Revocable: You can instantly detach a milkbox by removing the invite in AWS Organizations.
Least-privilege policy
MilkStraw AI operates with minimal necessary permissions to perform its function.- Read-Only Role: We use a single read-only IAM role.
- No Resource Modification: This role can only monitor your usage and cost data; it cannot start, stop, or modify any of your resources.
- Limited Scope: The scope is limited strictly to the AWS APIs required for cost coverage analysis.
MilkBoxes isolated by design
MilkBoxes are engineered to be entirely separate from your existing environment.- Zero-Access Architecture: They operate outside your VPCs, IAM roles, and networks.
- No Data Paths: There are no data paths between MilkBoxes and your workloads—only billing linkage.
- One-Way Isolation: You also have no access to MilkBoxes, which prevents potential lateral movement risks.
Reset-before-reuse
When a milkbox is no longer needed in your organization, it undergoes a thorough reset process.- When your on-demand capacity or savings needs change, we remove the milkbox from your organization.
- The account is subjected to a “factory reset,” deleting all residual configuration and metadata.
- An account is only eligible to join another customer’s organization after this complete reset.
Underlying safeguards
Our technical operations incorporate standard security best practices.- Encryption: All control-plane communication with AWS over the cross-account role uses TLS 1.2 or higher encryption.
- Auditability: Every action performed by Milkstraw AI is logged in your AWS CloudTrail for full auditability.
- Best Practices: Our controls are designed in alignment with AWS Well-Architected principles and CIS benchmarks.