Overview
CloudWizard provides structured visibility into AWS security and compliance posture using AWS-native cross-account access controls.
The platform is designed to deliver continuous posture insight while maintaining strict adherence to least-privilege principles.
No agents are deployed. No infrastructure is modified. No long-lived credentials are required.
All access is explicit, temporary, auditable, and fully revocable.
Access Model
CloudWizard uses AWS cross-account IAM roles in combination with AWS Security Token Service (STS).
Each client provisions a dedicated read-only IAM role within their AWS account. That role:
-
Trusts only the CloudWizard AWS account
-
Requires a unique External ID
-
Grants read-only visibility into configuration metadata
-
Can be revoked at any time
CloudWizard assumes this role using short-lived STS credentials that automatically expire. No static access keys are created or stored. Access occurs exclusively through standard AWS API calls.
This model aligns with AWS-recommended cross-account security architecture and is widely used by enterprise security tooling providers and audit firms.
Scope of Access
CloudWizard analyzes infrastructure configuration and security posture data, including:
-
IAM role and policy structure
-
Encryption enforcement configuration
-
Public exposure settings
-
Logging and monitoring posture
-
Security Hub and GuardDuty findings
-
Compliance control alignment
CloudWizard does not access:
-
Application payload data
-
Database contents
-
S3 object contents
-
Secrets or credentials
-
Runtime workloads
Visibility is limited strictly to configuration metadata required for posture analysis.
Security Controls
Access is governed by the following safeguards:
-
Least-privilege permissions limited to read-only API actions (Describe, List, Get)
-
Unique External ID per client to prevent unauthorized role assumption
-
Short-lived STS credentials that expire automatically
-
Full audit logging through AWS CloudTrail
-
Immediate revocation capability via IAM role removal
The role cannot create, modify, or delete resources.
Operational Model
CloudWizard operates entirely through AWS APIs. No agents, sidecars, or services are deployed into your infrastructure. Your runtime environment remains unchanged.
This approach ensures:
-
No additional attack surface
-
No operational overhead
-
No performance impact
-
No infrastructure drift
Clients retain full administrative control of their AWS environment at all times.
Alignment with AWS Best Practices
The CloudWizard access architecture aligns with AWS Well-Architected security principles, including:
-
Explicit trust relationships
-
Role-based access control
-
Short-lived credentials
-
Audit logging
-
Least-privilege design
Security tooling should enhance visibility without increasing operational risk. CloudWizard is designed accordingly.
Reference Documentation
-
AWS STS AssumeRole (API) — https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
-
AWS External ID (confused deputy protection) — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
-
IAM Roles (how role trust works) — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
-
CloudTrail logging (audit access) — https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
-
IAM policy evaluation logic — https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
Overview
CloudWizard provides structured visibility into AWS security and compliance posture using AWS-native cross-account access controls.
The platform is designed to deliver continuous posture insight while maintaining strict adherence to least-privilege principles.
No agents are deployed. No infrastructure is modified. No long-lived credentials are required.
All access is explicit, temporary, auditable, and fully revocable.
Access Model
CloudWizard uses AWS cross-account IAM roles in combination with AWS Security Token Service (STS).
Each client provisions a dedicated read-only IAM role within their AWS account. That role:
-
Trusts only the CloudWizard AWS account
-
Requires a unique External ID
-
Grants read-only visibility into configuration metadata
-
Can be revoked at any time
CloudWizard assumes this role using short-lived STS credentials that automatically expire. No static access keys are created or stored. Access occurs exclusively through standard AWS API calls.
This model aligns with AWS-recommended cross-account security architecture and is widely used by enterprise security tooling providers and audit firms.
Scope of Access
CloudWizard analyzes infrastructure configuration and security posture data, including:
-
IAM role and policy structure
-
Encryption enforcement configuration
-
Public exposure settings
-
Logging and monitoring posture
-
Security Hub and GuardDuty findings
-
Compliance control alignment
CloudWizard does not access:
-
Application payload data
-
Database contents
-
S3 object contents
-
Secrets or credentials
-
Runtime workloads
Visibility is limited strictly to configuration metadata required for posture analysis.
Security Controls
Access is governed by the following safeguards:
-
Least-privilege permissions limited to read-only API actions (Describe, List, Get)
-
Unique External ID per client to prevent unauthorized role assumption
-
Short-lived STS credentials that expire automatically
-
Full audit logging through AWS CloudTrail
-
Immediate revocation capability via IAM role removal
The role cannot create, modify, or delete resources.
Operational Model
CloudWizard operates entirely through AWS APIs. No agents, sidecars, or services are deployed into your infrastructure. Your runtime environment remains unchanged.
This approach ensures:
-
No additional attack surface
-
No operational overhead
-
No performance impact
-
No infrastructure drift
Clients retain full administrative control of their AWS environment at all times.
Alignment with AWS Best Practices
The CloudWizard access architecture aligns with AWS Well-Architected security principles, including:
-
Explicit trust relationships
-
Role-based access control
-
Short-lived credentials
-
Audit logging
-
Least-privilege design
Security tooling should enhance visibility without increasing operational risk. CloudWizard is designed accordingly.
Reference Documentation
-
AWS STS AssumeRole (API) — https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
-
AWS External ID (confused deputy protection) — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
-
IAM Roles (how role trust works) — https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
-
CloudTrail logging (audit access) — https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
-
IAM policy evaluation logic — https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
