Least-privilege by default
Encore analyzes your code to understand exactly what each service accesses. IAM policies are generated automatically with only the permissions needed.
- ✓Service-to-service permissions
- ✓Database access (RDS/Cloud SQL)
- ✓Pub/Sub topic permissions
- ✓Object storage (S3/GCS) access
Security without the guesswork
Encore analyzes your code to understand exactly what each service accesses: which databases, which pub/sub topics, which secrets, which external APIs. It then generates IAM policies that grant exactly those permissions and nothing more.
- •Least-privilege by default
- •Policies update when code changes
- •No manual policy writing
- ✓Service-to-service permissions
- ✓Database access (RDS/Cloud SQL)
- ✓Pub/Sub topic permissions
- ✓Object storage (S3/GCS) access
- ✓Secrets Manager access
- ✓Cache (ElastiCache/Memorystore) access
How it works
When you deploy, Encore analyzes your code to build a permission graph. Each service gets its own IAM role with only the permissions it actually uses.
Code Analysis
Encore parses your code to understand which resources each service uses.
Policy Generation
IAM policies are generated with minimum required permissions.
Automatic Updates
When your code changes, permissions are updated on the next deploy.
Built for compliance
Least-privilege access is emphasized in SOC 2, HIPAA, and other compliance frameworks. With Encore, you get it automatically without dedicated security engineering time.
Audit logs track all permission changes, and the permission model is fully transparent. You can inspect exactly what access each service has.
Learn about infrastructure config →Compliance frameworks supported
- ✓SOC 2 Type II
- ✓HIPAA
- ✓GDPR
- ✓ISO 27001
