Security

Uptime Scheduler is built on a simple principle: your infrastructure data stays in your AWS account. The scheduler runs inside your account, not ours.

Architecture overview

When you connect an AWS account, Uptime Scheduler provides a CloudFormation template that you deploy into your own AWS environment. You review the template, decide when to deploy it, and retain full control throughout.

All scheduling actions — starting and stopping EC2 instances, RDS databases, ECS services, and NAT Gateways — are executed by Lambda functions running inside your account. These Lambda functions are created by the CloudFormation stack and run under an IAM role that you own.

We do not have standing access to your infrastructure. Every action taken by the scheduler is logged in your own AWS CloudTrail, giving you a complete audit trail that you control.

Runs in your account

All scheduling logic executes in Lambda functions inside your own AWS account.

No credential storage

We never store, transmit, or have access to your AWS access keys or secret credentials.

Auditable

All start/stop actions appear in your AWS CloudTrail. You own the audit log.

Minimal permissions

IAM roles are scoped to describe and manage only the resource types you schedule.

IAM permissions

The CloudFormation stack creates an IAM role with the minimum permissions needed for scheduling to function. The permissions are narrowly scoped to the AWS services and actions the scheduler needs. You review these before deploying.

Required permissions by resource type:

EC2

ec2:DescribeInstances
ec2:StartInstances
ec2:StopInstances
ec2:DescribeTags

RDS

rds:DescribeDBInstances
rds:DescribeDBClusters
rds:StartDBInstance
rds:StopDBInstance
rds:StartDBCluster
rds:StopDBCluster
rds:ListTagsForResource

ECS

ecs:DescribeServices
ecs:UpdateService
ecs:ListClusters
ecs:ListServices
ecs:ListTagsForResource

NAT Gateway

ec2:DescribeNatGateways
ec2:CreateNatGateway
ec2:DeleteNatGateway
ec2:DescribeSubnets
ec2:DescribeAddresses
ec2:AllocateAddress
ec2:AssociateAddress
ec2:DescribeTags

CloudWatch (for schedule monitoring)

cloudwatch:PutMetricData
logs:CreateLogGroup
logs:CreateLogStream
logs:PutLogEvents

Data we collect and store

To operate the scheduling service, we store the following in our systems:

Your AWS account IDs (to identify which accounts you've connected)
Resource identifiers (e.g. EC2 instance IDs, RDS identifiers) for scheduled resources
The schedule tags you've configured
Scheduling execution logs (start/stop events, timestamps)

We do not store the contents of your workloads, application data, secrets, environment variables, or anything running on your infrastructure.

Encryption

All data in transit between your browser, our API, and your AWS account is encrypted using TLS 1.2 or higher. Data at rest in our systems is encrypted using AES-256.

Security contact

To report a security vulnerability or ask a security question, email security@uptimescheduler.com. We take all security reports seriously and will respond within 48 hours.