Trueno
AWS infrastructure intelligence · Early access

Operate AWS the way you operate the rest of your stack.

Trueno is a read-only control plane for every AWS account you run. It continuously maps your estate, surfaces what matters — risks, waste, drift, ownership — and gives engineering teams a single place to act, assign, and automate. No agents. Findings and metadata persist to your workspace only.

Request early accessRead the docsRead-only role · about 3 minutes
  • Read-only by design
  • External-ID gated
  • No long-lived AWS keys
  • Workspace-isolated
  • Server-side AWS SDK
your-workspace · production
Search resources, ARNs, findings…⌘K
scanning · us-west-2YW
AWS accounts
3
connected
Resources
1,284
discovered in this preview
Open findings
47
6 critical · 12 high
Automation health
OK
0 failures last 24h
Findings
across 3 accounts · last scan 4m ago
  • Public S3 bucket detected
    s3 · logs-archive · us-east-1
    2m
  • IAM role with AdministratorAccess unused 84d
    iam · deploy-legacy
    11m
  • RDS instance idle 14d — candidate for stop
    rds · db-analytics-warm · us-east-2
    23m
  • NAT Gateway with no egress traffic 72h
    vpc · nat-0a1b2c3d · us-west-2
    41m
  • EBS volume snapshot orphaned
    ec2 · snap-08f4a · 320 GiB · eu-west-1
    1h
  • Security group 0.0.0.0/0 :: 22
    vpc · sg-9a2f7 · attached to 3 ENIs
    1h
Spend · last 7 days
grouped by service
EC2illustrative
RDSillustrative
S3illustrative
Region activity
resources · live
us-east-1
us-east-2
us-west-2
eu-west-1
eu-central-1
ap-south-1
ap-southeast-2
sa-east-1

Illustrative preview · numbers are demonstrative, not from a real workspace

The state of running AWS

AWS gave you 200 services.
It didn't give you a control plane.

01

The console is a tour, not a map.

Every team runs their own homegrown spreadsheet of accounts, owners, and "who knows about that Lambda." Tags rot. Inventory drifts. The org chart of your AWS doesn't exist anywhere durable.

02

Findings live in five tools that don't agree.

Security Hub, Cost Explorer, Trusted Advisor, Config, your own runbooks. None of them know about each other. By the time signal reaches an engineer, the context is gone.

03

Automation feels too risky to attempt.

Without a read-only baseline, an audit trail, and a rollback story, every “fix this” is a Jira ticket nine months long. You don't write the playbook because nobody trusts the playbook.

The platform

One surface. Four jobs.
Built for the engineers who actually run it.

Trueno is organized around the work — not around AWS services. You observe what you have, analyze what it's costing and risking, run scheduled jobs that close the loop, and bring the right people in when judgment is required.

01OBSERVE

Every account, every region, one inventory.

Trueno discovers every AWS resource you have — across accounts and regions — and keeps it current with scheduled and on-demand scans. Stale-state detection catches what disappears between runs.

  • Multi-account, multi-region discovery via AssumeRole
  • EC2, EBS, S3, RDS, Lambda, security groups
  • Per-resource metadata, tags, and freshness signals
  • Stale-state detection when resources disappear between scans
Resources · all accounts
region: anytag: env=prodowner: any
TypeID / NameEnvironmentRegionOwnershipStatus
EC2i-0a72d…be2prod · payments-apius-east-1owned · platformok
RDSdb-billing-1prod · billingus-east-1owned · billingok
S3logs-archiveus-east-1unownedwarn
λimg-resize-v3stage · mediaus-west-2owned · mediaok
VPCvpc-9a2f7shared · networkus-east-1owned · platformok
IAMdeploy-legacyglobalstale 84dcrit
RDSdb-analyticsprod · dataus-east-2idle 14dwarn
02ANALYZE

Resource and cost intelligence, in the same pane.

Cost broken down by service, account, and tag — with findings linked back to the specific resource that drives them. Daily snapshots feed trend windows and anomaly detection.

  • Cost grouped by service, account, and tag
  • Estimated monthly savings on every cost-tagged finding
  • Daily cost / findings / resource snapshots
  • Anomaly detection across 7 / 30 / 90-day windows
Cost · last 7 monthsgroup: service · view: monthly
NovDecJanFebMarAprMay
EC2RDSS3other
Spend drivers · this viewfinding-linked
EC2 · oversized fleetwarn
right-size candidates: illustrative
RDS · idle 14dcrit
stop available
NAT Gateway · prod-egressinfo
review traffic profile
03AUTOMATE

Scheduled jobs you can audit, not magic you can't.

Recurring inventory, cost, and recommendation jobs run on a schedule per account. Failures retry with bounded attempts. Every action lands in the workspace activity feed with actor, scope, and outcome.

  • Schedules per account and job type
  • Bounded retries on transient failure
  • Default schedules provisioned on first AWS account
  • Activity feed records every scheduled run
Automation · schedulesScheduler tick · last 4m ago
JobAccountFrequencyLast runStatusNext
Inventory scanprod-paymentsDaily23m agosuccessin 23h
Cost scanprod-paymentsDaily41m agosuccessin 23h
Recommendation refreshWorkspace-wideDaily1h agosuccessin 22h
Inventory scanprod-dataDaily2h agofailedretry queued
Cost scanprod-dataDailynever runin 2h
Failures retry with bounded attempts · every action lands in the activity feed5 schedules · 1 failed last 24h
04COLLABORATE

Operational trust is a team sport.

Findings get owners, status, and deadlines. Comments thread against the actual resource or finding — not a screenshot in Slack. The workspace-wide activity feed makes "who owned this" answerable in a query.

  • Assign findings, recommendations, and resources to teammates
  • Threaded comments scoped to resources, findings, recommendations
  • Saved views per entity type, private or shared
  • Workspace-wide activity feed with actor, target, and outcome
finding · public-s3-prod-logsopened 4h ago

Public S3 bucket logs-archive

s3 · us-east-1 · detected from inventory scan · 4h ago
SR
Sasha R.assigned to @platform
Confirm with Data team before lock-down — there may be an external job reading from this prefix.
JC
Jules C.resolved
Block-public applied via console; lifecycle policy in place for 90d archival. Marking resolved with audit-trail link.
Security & Architecture

Read-only by default. Every AWS call originates server-side.

Trueno never asks for AWS access keys, never runs an agent in your VPC, and never copies your application data. Security is not a tab on the website — it's how the product is shaped.

How a scan runsread-only · STS assumed role
YOUR AWS ORG
prod-payments412…9183
prod-data187…4422
staging920…1057
TruenoRole · ReadOnly
sts:AssumeRole
short-lived
TRUENO · CONTROL PLANE
Discovery scanner
Findings engine
Scheduler
Activity feed
hosted on:Vercel · Supabase Postgres
Read-only AWS access
Trueno authenticates via AssumeRole with an external ID. AWS-managed read-only policies attached. No write API is ever called. Delete the IAM role to revoke access entirely.
No long-lived credentials
Every scan assumes a role with short-lived STS credentials. Cross-account access stays in your IAM, your policy, your revocation path.
No agents, no VPC peering
Trueno connects through the AWS APIs from a server-side control plane. Nothing to install in your environment, nothing to patch.
Findings persist; raw data does not
We store findings, resource snapshots, and recommendations in your workspace. We don't read S3 object contents, RDS row contents, or application data.
Workspace-isolated data
Row-level security on every workspace table. A workspace can only see its own data — enforced in the database, not the app.
Activity feed records every action
Status changes, comments, assignments, schedule edits — every mutation lands in the workspace activity feed with actor, target, and outcome.
Read-only
by design
External-ID
every workspace
Server-side
AWS SDK only
No SOC 2 yet
early access
No HIPAA / ISO
early access
No AWS Partner tier
early access
Resources

Operator-grade documentation.

DOCS
Getting started
Connect AWS, run a scan, review findings — the in-app onboarding flow walks every step with workspace-specific values.
8 steps · in-app guided
ARCHITECTURE
How Trueno is built
Next.js, Supabase, the AWS SDK pattern, the async job queue, Vercel Cron — every layer maps to a real file in the repo.
platform tour
SECURITY
Access model & limits
AWS access flow, workspace isolation, revocation, and the things we have explicitly NOT done yet.
honest scope · no fake certs
CHANGELOG
What's shipped
Past-tense entries only. Phase 13 onwards. Dated to the commit that landed each phase.
6 entries · newest first
Connect in the dashboard

One workspace, one role, about three minutes.

The in-app onboarding generates your workspace's external ID, lists the AWS-managed read-only policies to attach, and verifies the trust relationship before the first scan runs.

Request early access →
1
Create workspace
Sign up. First workspace is created automatically.
2
Generate external ID
In the dashboard, start the AWS connect flow.
3
Create the read-only role
Trueno shows you the trust policy + the AWS-managed read-only policies to attach in your AWS console.
4
Verify + scan
Trueno calls sts:AssumeRole; first inventory scan runs in the background.
Connect AWS

Connect your first account.
See your AWS in about four minutes.

Read-only IAM role. No long-lived keys. Delete the role at any time to revoke access. Trueno is in early access — no card, no sales meeting, no demo gating.

Early accessRead-only by designExternal-ID gatedWorkspace-isolated data