Platformr Demo

Free Evaluation Access

Overview

Platformr’s free Evaluation Tool uses a secure cross-account role, which is temporarily assumed by platformr to perform a configuration inventory and environment evaluation. This process is designed with a least-privilege, read-only access model, targeting only the AWS management account to audit settings against established best practices.

The evaluation tool cannot make any changes to your AWS account and remains active for only 15 minutes. If you need to start or rerun an evaluation after the time window has expired, you’ll be guided through a simple reactivation process via our web console.

Activation

Activation is Platformr’s process to enable a time-boxed least privileged read-only cross account role that will conduct the evaluation. If you are running activation under a free trial evaluation you are giving a 15-minute window which Platformr can conduct an evaluation

Note

Running activation requires that you have the ability in the management account to create IAM roles and policies. Additionally, you will need to have access granted to the AWS CloudShell.

To start or restart another evaluation, you will need to select the Evaluate button in the top right corner and then select Refresh evaluation. It is also recommended that at this time you are logged into the AWS management account in the same browser as you are logged into Platformr portal.

Evaluate Button

A modal will popup and give you instructions to copy the activation command and continue then click Continue to AWS CloudShell. This will open a new tab in the same browser window to the AWS CloudShell console. 

AWS CloudShell

Note

The activation command contains specific parameters to help enforce security. One of the parameters includes the expected AWS account ID which the evaluation should be run under. If the account isn’t the same as the parameter, the activation process will fail.

For security purposes, the activation command can be used to extract the URL for local download and viewing. The script download utilizes AWS signed URLs and must be accessed within one hour of generation in the Platformr console. An example of downloading and viewing the activation script is provided below highlighted in red.

 

To proceed with activation, the activation script copied from the Platformr portal must be pasted into the AWS CloudShell. Upon successful activation, an output similar to the screenshot below will be displayed.

Platformr Authentication

After the AWS CloudShell console activation process is complete, you can jump back to the portal.platformr.cloud console and you should see your dashboard updated and the timer in the top right corner green and set to the remaining time

After your activation time has expired you will see in the top right-hand corner the timer icon go to red with a zero displayed. 

Disconnected Status

If you attempt to run an evaluation at this point, Platformr will prompt you to run the activation process again. To run activation again, all you need to do is repeat the process exactly like you did the first time you ran activation. 

Security Considerations

At Platformr, security is treated as the highest priority. Understanding that customers entrust the company with mission-critical workloads and sensitive data, Platformr implements security practices that go above and beyond industry standards to protect cloud infrastructure and data.

Specifically, platformr:

  • Minimizes trust exposure: Any cross-account access — such as between a customer account and Platformr’s AWS environment — is time-limited and tightly scoped.
  • Reduces role privileges: Even when access is required, roles are limited to read-only permissions unless absolutely necessary.
  • Implements strong temporal boundaries: As seen in this IAM policy, access is restricted to a precise 15-minute window, minimizing the risk of misuse or compromise.
  • Protects the AWS Management Account: platformr understands that the Management Account in an AWS Organization holds elevated privileges and is a potential high-risk target. Therefore, platformr takes extra precautions by ensuring minimal, time-boxed, and auditable access.

IAM Policies

Each time the activation process runs it will check for the existence of the platformrEvaluation. If activation finds the role existing, it will remove all attached policies and delete the role. Once the role is deleted or if the role did not exist, the activation process will create the platformrEvaluation role and attaches specific IAM managed policies, creates a custom policy, and creates a trust policy. These are all attached to the platformrEvaluation role to give it read-only least privilege access. 

Note

The platformrEvaluation role can be deleted once you are done with your evaluation. Running Platformr’s activation process will simply create it again if you chose to update your evaluation.
AWS Managed Policies

These managed AWS IAM policies enable platformr to perform a read-only evaluation of a customer's AWS environment without granting access to any customer workload data, ensuring both transparency and strong security boundaries. Here's a quick summary of what each policy allows:

  • ViewOnlyAccess: Grants broad read-only access across AWS services, allowing platformr to inspect configuration and usage metadata without the ability to modify resources or access sensitive data.
  • AWSBillingReadOnlyAccess: Provides visibility into billing and cost-related information, helping platformr assess cost optimization opportunities without touching customer workloads.
  • AWSCloudFormationReadOnlyAccess: Allows platformr to review infrastructure as code (IaC) templates and stack configurations, enabling architecture reviews without deployment permissions.
  • AWSOrganizationsReadOnlyAccess: Enables viewing of the AWS Organization's structure (accounts, OUs, policies) to understand governance setups — with no ability to alter organizational settings.
  • AWSSSOReadOnly: Grants visibility into AWS Single Sign-On configuration and assignments, supporting security posture evaluation around identity without any access to actual user sessions or data.
  • IAMReadOnlyAccess: Allows inspection of IAM roles, policies, users, and groups to ensure best practices — with no capability to change permissions or assume roles.
Platformr Managed Policies

To limit access to specific required IAM actions, Platformr creates a customer managed policy named DONOTUSEME-PlatformrEvaluationPolicy. This policy has limited read-only actions on specific AWS services. Platformr creates this managed policy each time activation runs for the evaluation. Please do not attach this policy to anything else as it is deleted and recreated each time activation is run.  

Role Permissions
Trust Policy Summary

The screenshot shows an AWS Identity and Access Management (IAM) Trust Policy under the Trust relationships tab of a specific IAM role. This policy grants temporary permission for a specific AWS account to assume the role, but with a strict time constraint to enhance security.

Trust Policy Summary

The example trust policy uses the following configuration:

  • Principal: A root user from a specific AWS account (arn:aws:iam::<ACCOUNT_ID>:<PRINCIPAL>) is allowed to assume this role.
  • Action: sts:AssumeRole – grants the ability to assume this role.
  • Condition: The role can only be assumed within a very specific 15-minute time window. Example:
  • Start: 2025-05-14T21:59:24Z
  • End: 2025-05-14T22:14:24Z

This is a time-boxed trust relationship, ensuring access is valid only for a short, pre-defined window — a strong security best practice for minimizing risk exposure during sensitive operations.