Docs/AWS Connection

AWS Connection

Secure connection via IAM Cross-Account. No access keys shared.

Overview

SnoozeDB connects to your AWS account using the standard IAM Cross-Account mechanism. You never share your access keys: a dedicated IAM role is created in your account via CloudFormation.

Access is temporary, renewed for each operation, and expires automatically. No keys are stored.

Your AWS AccountIAM Roleleast privilege

Secure authentication

Temporary access

SnoozeDBUses access toStart / Stop RDS

1-click deployment

A CloudFormation template is automatically generated for your account. Simply deploy it from the AWS console, no manual configuration required.

What the template creates

A dedicated IAM role with strictly limited permissions
A security policy restricted to the 4 required RDS actions

IAM Permissions

The role follows the principle of least privilege. Only 4 actions are authorized:

IAM Action	Purpose
rds:DescribeDBInstances	List and scan RDS instances
rds:ListTagsForResource	Read tags to apply exclusion rules
rds:StartDBInstance	Start an instance according to the schedule
rds:StopDBInstance	Stop an instance according to the schedule

No data access

These permissions do not allow reading, modifying or deleting the contents of your databases. SnoozeDB can only control the state (started/stopped) of your instances.

Security guarantees

No AWS access keys are stored or transmitted
Access is temporary and expires automatically
The IAM role is protected against unauthorized third-party access
You can revoke access at any time by deleting the role in your AWS console

Understand the mechanism in detail

To learn exactly how AWS STS AssumeRole works, why we use an External ID, and what happens technically during each operation, read our dedicated article. STS AssumeRole explained step by step →