Cross Account Role
GuardKite uses a secure, read-only IAM role to scan your AWS account for security and compliance insights. This role allows GuardKite to retrieve configuration details about your AWS resources without making any modifications.
Overview
When you link your AWS account to GuardKite which done during the onboarding step, a CloudFormation stack is deployed that creates an IAM role with the necessary permissions. This IAM role:
- ✅ Has read-only permissions – it can view but not modify, delete, or create any AWS resources.
- ✅ Uses an External ID – ensuring a secure, scoped role assumption process.
- ✅ Follows the principle of least privilege – only the required permissions are granted.
For more details on the permissions GuardKite requires, you can download and review the CloudFormation template below.
📥 Download CloudFormation Template
Security Considerations
- 🔒 External ID Usage – GuardKite enforces the use of an External ID when assuming your IAM role, preventing unauthorized cross-account access.
- 🔒 No Write Permissions – The IAM role is strictly read-only.
- 🔒 Revoking Access – If you ever need to remove GuardKite’s access, simply delete the IAM role or CloudFormation stack from your AWS account.
Deploying the IAM Role Manually
If you prefer not to use the automatic deployment process, you can manually deploy the IAM role by following these steps:
- Download the CloudFormation template from the link below.
- Log in to your AWS account and navigate to the CloudFormation console.
- Click Create Stack and upload the template.
- Review the permissions and ensure the External ID is used during setup.
- Deploy the stack and verify its status as CREATE_COMPLETE.