Connecting Your AWS Account to CloudWizard

Security & Access Architecture

CloudWizard operates using AWS-native cross-account access controls designed around least privilege, short-lived credentials, and full client control.

No agents deployed
No credentials stored
No access to application data, databases, S3 object contents, or secrets
Fully auditable in AWS CloudTrail
Access can be revoked at any time by deleting the role

Learn more about our Security & Access Architecture →

Follow Below Procedure

Connect Your AWS Account to CloudWizard (Read-Only)

CloudWizard connects using AWS STS AssumeRole with a dedicated read-only IAM role in your AWS account. No agents. No credentials shared. Fully revocable.

How this works

CloudWizard generates a unique External ID for your tenant.
You launch a prebuilt CloudFormation stack in your AWS account.
The stack creates a read-only IAM role that only CloudWizard can assume.
You paste the Role ARN back here and we run your first scan.

Step 1 – Confirm your details

Stack name

Example: CloudWizard-Access-YourCompany

External ID (generated by CloudWizard)

This unique value is required to prevent confused-deputy risk.

CloudWizard Collector Role ARN (pre-filled)

Step 2 – Launch the CloudFormation stack

Click the button below, review the permissions in the AWS Console, then create the stack.

How to launch a CloudFormation stack →

In AWS: On the stack Outputs tab, copy the value of CloudWizardReadOnlyRoleArn (or similar).

Step 3 – Paste your Role ARN

Customer Role ARN

Paste the Role ARN from the CloudFormation Outputs. We’ll validate it and start your first posture scan.

Below is the Information that needs to be sent Back to CloudWizard