Get Started
Free.
7-day free trial. 100k tokens. Connect your AWS account and ask plainfra anything.
Read-Only Access
plainfra never modifies your infrastructure
Your Data Stays in AWS
No data leaves your account boundary
2 Minutes to Connect
One CloudFormation stack, that's it
Get Started Free
7-day trial, 100k tokens, no card required.
Free trial — get started in minutes
Verify Your Card
Your card will be verified but not charged during the trial.
Connect Your AWS Account
Grant plainfra read-only access to account .
Your API key will be emailed once your card is verified.
Deploy the role
Below are two ways to deploy the read-only IAM role into your account. Choose whichever you prefer.
Option A: CloudShell (recommended)
Make sure you're logged into your AWS Console in this browser, then click "Copy & Open CloudShell" below. Paste with Ctrl+V and press Enter. Takes about 60 seconds.
Option B: CloudFormation Stack
Opens the AWS CloudFormation console with the template pre-filled. Review the stack details and click Create stack.
open_in_new Deploy via CloudFormationchevron_right What does this role do?
plainfra needs a read-only IAM role to query your infrastructure. Every permission is listed explicitly — no write access, no secrets, no application data can be read. An explicit Deny block prevents reading your data under any circumstances.
AWSTemplateFormatVersion: '2010-09-09' Description: > plainfra — Read-Only Cross-Account Infrastructure Role. Every permission is explicitly listed. An explicit Deny block prevents reading S3 objects, DynamoDB rows, log events, secret values, parameter values, queue messages, and encrypted data. # Role can only be assumed by plainfra account + your unique ExternalId. # MaxSessionDuration: 1 hour. # POLICY 1 — Infrastructure Discovery (Allow) # Grouped by service. Covers EC2, Lambda, ECS, EKS, S3 (metadata only), # RDS, DynamoDB (metadata only), ElastiCache, Redshift, CloudWatch, # CloudWatch Logs (structure only), IAM (metadata only), CloudTrail, # Config, GuardDuty, SecurityHub, AccessAnalyzer, KMS (metadata only), # Secrets Manager (list only), SSM (parameter names only), CloudFront, # Route53, ACM, WAF, SNS, SQS (no message retrieval), EventBridge, # Kinesis (no record retrieval), CloudFormation, Cost Explorer, # Trusted Advisor, AWS Health, Organizations, Resource Tags. # POLICY 2 — Explicit Data Access Denial (Deny — always wins) # s3:GetObject / GetObjectVersion — cannot read file contents # dynamodb:GetItem / Query / Scan — cannot read table data # secretsmanager:GetSecretValue — cannot read secret values # ssm:GetParameter / GetParametersByPath — cannot read secure strings # logs:GetLogEvents / FilterLogEvents — cannot read log content # kms:Decrypt / GenerateDataKey — cannot decrypt anything # kinesis:GetRecords — cannot read stream data # sqs:ReceiveMessage — cannot read queue messages # lambda:InvokeFunction — cannot execute functions # ec2:GetConsoleOutput / GetPasswordData — cannot access VM consoles # rds-data:ExecuteStatement — cannot run SQL queries
Want to verify? Paste the template into ChatGPT or Claude and ask it to explain exactly what this role can and cannot do.
Verify connection
Once the stack shows CREATE_COMPLETE in CloudShell or CloudFormation, click below.
You're Connected!
Your API key and setup details have been sent to your email. Check your inbox to get started.
Check your email
Your API key, External ID, and getting-started instructions have been emailed to .
Payment Received!
Your account is being activated. This usually takes a few seconds.
Go to plainfra ConsolePayment Cancelled
Your account has been created but is not yet active. You can complete payment later.
Try Again