Create Join Link in Guard3r
You provide your AWS account ID. Guard3r generates a one-time onboarding intent, a tenant-scoped external ID, and a CloudFormation quick-create link.
Security Model
How Guard3r Cross-Account Access Works
This guide explains exactly what happens when you create a Guard3r cross-account connection: what is deployed in your AWS account, what Guard3r can read, what Guard3r cannot change, and why the trust boundaries are important for security and audit-readiness.
Process Overview
The connection flow in plain language
Deploy Role in Your AWS Account
You open the link in AWS and deploy a small stack that creates an IAM role for Guard3r to assume. This role includes an external ID condition in its trust policy.
Validate and Activate in Guard3r
Guard3r tests role assumption and regional discovery. If validation succeeds, you activate the connection and scans begin on the configured cadence.
What It Does
What Guard3r uses this access for
Guard3r collects AWS configuration and posture metadata to build findings, task guidance, and evidence artifacts for security and audit preparation workflows.
Configuration Read
- Service posture checks (IAM, S3, CloudTrail, Config, and more)
- Control-state snapshots tied to scan executions
- Region inventory and scan target resolution
Evidence Generation
- Immutable evidence references linked to findings
- Execution-level traceability for auditor review
- Retention policy handling by subscription tier
Risk Prioritization
- Severity assignment and remediation guidance
- Fix list generation from open findings
- Trend and report rollups for periodic review
Access Rights
Permissions and boundaries
Guard3r is designed for least-privilege, read-focused collection. The role exists in your account and can be revoked at any time.
| Area | Guard3r Access | Why It Is Needed |
|---|---|---|
| Trust | AssumeRole with tenant-specific external ID | Ensures only Guard3r for your tenant can assume the role. |
| AWS APIs | Read/list/describe/get style calls for supported services | Collects posture metadata for findings and evidence. |
| Data Mutation | No infrastructure remediation actions by default | Keeps customer change control and approvals in your hands. |
| Application Payloads | Metadata-oriented evidence model | Supports zero-PHI / low-data-footprint operating posture. |
Why It Matters
Security and audit value
Stronger trust boundary
External ID plus explicit trust policy protects against confused-deputy style role assumption risks.
Operational transparency
You can see connection lifecycle state, validate results, and revoke the role relationship when needed.
Audit-ready traceability
Findings, tasks, and evidence stay linked to execution context for clean internal and auditor review.
Next Step
Ready to set up your first cross-account connection?
Create your Guard3r account, open the guided link, deploy the role stack, then validate and activate.