Skip to main content

Managing AWS accounts

The AWS Accounts page lists every account connected to your tenant. Open it from Settings → AWS Accounts in the sidebar.

For onboarding a new account, see Add additional AWS accounts. This page focuses on managing accounts that are already linked.

What the list shows

Each row covers one linked AWS account:

  • Account ID — the 12-digit AWS Account ID.
  • Alias — a human-friendly name (e.g. prod, acme-staging). Empty until set.
  • Connection Status — whether GuardKite can assume the IAM role in the account right now. Connected (green) or Disconnected (red).
  • Last Checked at — when the most recent scan attempt ran.
  • Scanning Enabled — whether scans are currently set to run for this account. Enabled (green) or Paused (red).
  • Manage — expands a per-row form to edit settings.

Adding, editing, and removing accounts is restricted to admins. A member can view the list but can't make changes.

Editing an account

Click Manage on a row to expand the edit form:

  • Alias — set or change the human-friendly name. Saved on Update.
  • Status — toggle scanning on or off for this account. Paused accounts keep their existing findings but won't refresh them on the daily scan.

The AWS Account ID can't be changed after creation.

When Connection Status is red

A red icon means the most recent scan attempt couldn't assume the GuardKite IAM role in the linked AWS account. Common causes:

  • The CloudFormation stack (and its IAM role) was deleted in AWS.
  • The role's trust policy was edited so it no longer trusts GuardKite's account, or the External ID was changed.
  • A managed policy attached to the role was modified and now denies actions GuardKite needs.

Fix the underlying issue in AWS — usually by redeploying the CloudFormation stack — and the next scan re-establishes the connection.

Removing an account

Click Manage, then Delete in the expanded form. The account and its findings are removed from GuardKite.

This does not delete the IAM role in your AWS account. To fully revoke GuardKite's access, delete the CloudFormation stack (or the IAM role itself) on the AWS side.