Security & Permissions

Blackbox Auditor was founded by IT security audit professionals who understand how third-party audits work. We designed our tool with security and minimal access in mind.

Read-Only Access Only

Blackbox Auditor requires read-only access and does not make any modifications to your AWS environment. We cannot create, modify, or delete any AWS resources.

Required Permissions

Blackbox Auditor uses the AWS-managed SecurityAudit policy, which provides all necessary permissions for audit evidence collection.

AWS Managed Policy: SecurityAudit

This policy grants read-only access to security-related resources across AWS services. The AWS SecurityAudit managed policy was designed by AWS specifically for this purpose.

  • Read-only access to IAM, CloudTrail, Config, and Security Hub
  • No ability to modify, create, or delete resources
  • Standard AWS policy used by auditors globally
  • Regularly updated by AWS to cover new services

Deployment Model

Blackbox Auditor connects to your AWS environment using a cross-account IAM role—the standard, secure method for third-party access.

Cross-Account IAM Role

Your client or target account creates an IAM role that can be assumed by Blackbox Auditor's account using a cross-account trust relationship.

  • You control the role and can revoke access at any time
  • Trust policy limits access to Blackbox Auditor only
  • No agents or software installed in your environment
  • No credentials stored—temporary session tokens only

Setup Overview

High-level steps (detailed instructions provided during sign-up):

  1. Create a cross-account IAM role in your AWS account
  2. Attach the SecurityAudit managed policy
  3. Configure trust policy for Blackbox Auditor's account
  4. Provide the role ARN to begin scans

Data Handling & Retention

We take data handling seriously. Audit evidence is generated on-demand and retention is controlled by you.

Output Format

Scan results are delivered in HTML format, designed for easy review and inclusion in audit workpapers.

Retention Options

Scans can be configured to:

  • Not saved — Evidence delivered directly, not stored
  • Optional retention — Up to 14 days, then automatically deleted

Your Control

You decide whether evidence is retained. No data is stored without explicit consent.

Important Notes

  • Read-only access — Blackbox Auditor cannot modify your AWS environment
  • Compliance support — Audit evidence supports SOC 2, ISO 27001, PCI DSS, and HIPAA assessments
  • API rate limits — The tool respects AWS API rate limits and includes appropriate pagination
  • No agents — Nothing is installed in your AWS accounts

Have Security Questions?

We're happy to discuss our security model, provide additional documentation, or walk through the setup process.

Contact Us

See the Evidence Without the Risk

Read-only access means you can evaluate Blackbox Auditor with confidence.

View Sample Reports Request a Demo