Connecting Your AWS Account to CloudWizard

Security & Access Architecture

CloudWizard operates using AWS-native cross-account access controls designed around least privilege, short-lived credentials, and full client control.

No agents deployed
No credentials stored
No access to application data, databases, S3 object contents, or secrets
Fully auditable in AWS CloudTrail
Access can be revoked at any time by deleting the role

Learn more about our Security & Access Architecture →

Follow Below Procedure

Connect Your AWS Account to CloudWizard (Read-Only)

CloudWizard connects using AWS STS AssumeRole with a dedicated read-only IAM role you create in your AWS account. No agents. No credentials shared. Fully revocable.

Before you start

Open the AWS Console in ap-southeast-2 (Sydney)
Have your External ID from CloudWizard ready
Deployment takes ~2 minutes

1) Enter your details

Stack name

Example: CloudWizard-Access-Acme

External ID (provided by CloudWizard)

This is required to prevent confused-deputy risk.

CloudWizard Collector Role ARN (pre-filled)

AWS STS AssumeRole documentation →

After deployment: send CloudWizard the created Role ARN (CloudFormation Outputs will show it). We’ll validate access and start your first posture scan.

Below is the Information that needs to be sent Back to CloudWizard