Your cloud.
Your rules.

Liberra reads your AWS account. Nothing changes until you say so. Here is exactly how that works.

Connection

How Liberra connects

You deploy a CloudFormation stack in your AWS account. That stack creates one IAM role. Liberra uses that role and nothing else.

Your account, your role
The IAM role lives in your AWS account. You own it. Liberra never touches credentials directly.
External ID
The role requires a unique ID tied to your Liberra account. Without it, nothing can assume the role, including anyone who compromises Liberra.
1-hour sessions
Every session token expires after 60 minutes and rotates automatically. No long-lived credentials stored anywhere.
Revoke in seconds
Delete the CloudFormation stack. Access is gone immediately. No action needed on our end.
Access levels

Free vs Pro

Two clear modes. No surprises.

Free
Read-only. Nothing changes.

Inventory, costs, security checks. Liberra reads your account and tells you what it finds. Nothing changes.

Enforced in application code on every request.
Pro
Writes need your approval.

Liberra proposes the action and shows you exactly what will happen. You click Approve or Reject. Nothing runs until you say so.

Every write, every deploy, every change.
Approval flow

Every write requires approval

Before anything changes in your account, you see exactly what will happen. Not a summary. The actual resource, the actual action.

Pending Approval
Launch EC2 instance (t3.medium) in us-east-1
~$30/mo · 2 vCPU · 4 GB RAM
Approve
Reject
Hard blocks

What is permanently blocked

These operations are blocked before they ever reach AWS. No confirmation flow, no override. They simply do not run.

ec2.terminate_instances
rds.delete_db_instance
s3.delete_bucket
s3.delete_objects
dynamodb.delete_table
lambda.delete_function
cloudtrail.delete_trail
cloudtrail.stop_logging
guardduty.delete_detector
cloudformation.delete_stack
+ 52 more. Full list in the security repo.

Six services are blocked entirely: organizations, sts, account, sso, sso-admin, identitystore.

Verify it yourself
github.com/williamjosephxp/liberra-security

The exact IAM policy every user gets. The full blocked operations list. The enforcement code. All public, nothing redacted.