Cross-account IAM role
GuardKite scans your AWS account through a single read-only IAM role. This page is the reference for the role itself — what's in it, how to deploy it manually, and how to revoke it.
For the access model and overall security posture, see What GuardKite needs from your account.
What the role contains
The role's policy grants only Describe*, List*, and Get* style permissions across the AWS services GuardKite scans. No create, modify, or delete permissions; no permissions to read application data inside resources.
The trust policy:
- Names GuardKite's AWS account as the only principal allowed to assume the role.
- Requires an External ID unique to your tenant on every assume-role call.
Download the full template to review the exact policy before deploying:
Download CloudFormation template
Automatic deployment
When you link an AWS account through the GuardKite UI, the wizard generates a CloudFormation deep-link with the External ID and template URL pre-populated. One click in the AWS console deploys the role.
See Link your first AWS account for the full onboarding flow.
Manual deployment
To deploy the role with your own automation (Terraform, a CI pipeline, a manually-uploaded stack):
- Download the CloudFormation template.
- Copy the External ID from the wizard's Detailed Steps panel.
- Deploy the template in your preferred tool, supplying the External ID as a stack parameter.
- Verify the stack reaches
CREATE_COMPLETE.
The next scan will successfully assume the role.
Revoking access
The role exists in your account. Two equivalent ways to revoke:
- Delete the CloudFormation stack that created the role.
- Delete the IAM role directly from the IAM console.
After revocation, GuardKite can't assume the role and the next scan fails. The account is marked disconnected in the platform until the role is restored or the account is removed from GuardKite.