Connect AWS without sharing long-lived credentials.
A read-only cross-account IAM role with a unique ExternalId, deployed via CloudFormation. Agentless, read-only by design, and reviewable before you connect a single account.
Three steps to a connection
Create a connection
Add an AWS account in the console and Securitain generates a unique ExternalId for the trust policy.
Launch the CloudFormation template
Deploy the provided template to create a read-only cross-account role — review it before you run it.
Verify role & account
Securitain assumes the role, confirms the account, and reports what it can and cannot read.
A guard against the confused deputy
The trust policy requires a unique ExternalId that only your tenant knows. Without it, even a party who knows your role ARN cannot trick Securitain into assuming your role on their behalf — the classic confused-deputy problem.
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-unique-external-id"
}
}What the role can — and can't — do
Can read
- IAM users, roles, groups, policies & boundaries
- Access-key metadata & MFA configuration
- Trust policies and supported resource policies
- Identity Center & Organizations metadata (permission-dependent)
Cannot change
- Create, modify, or delete any resource
- Read application data or object contents
- Execute remediation or deploy policies
- Reach accounts you have not connected
Current assessments do not execute remediation. Review the CloudFormation template so you can confirm exactly which read and list permissions it grants.
Partial-scan transparency
If the read-only role is missing a permission, Securitain doesn't silently skip it. It completes everything it can and raises a clear banner naming exactly what it couldn't analyze, so a partial scan is never mistaken for a clean one.
What is processed, and what isn't
Config & evidence processed
- IAM and access configuration metadata
- Trust and supported resource policies
- Per-scan findings & evidence (encrypted)
Not collected
- Your application or customer data
- S3 object contents or database records
- Long-lived AWS access keys
The questions security teams ask
Does Securitain store my AWS keys?
No. Securitain uses a cross-account IAM role with a unique ExternalId and short-lived assumed-role credentials. There are no long-lived AWS access keys to store.
Can Securitain change my resources?
No. The connection is read-only by design and the current release does not execute remediation. The CloudFormation template grants read and list permissions only — review it before deploying.
How are my accounts isolated from other tenants?
Accounts are scoped to your organization, API access is authorized per tenant, and data is filtered by tenant at the database layer. Each connected account is only reachable through the role you explicitly created.
What happens if the role is missing a permission?
Securitain runs a capability-aware partial scan, completes what it can, and shows a clear warning describing exactly what it could not analyze. You never get a falsely clean report.
How do I disconnect an account?
Remove the account in the console and delete the CloudFormation stack (and its role) in your AWS account. Once the role is gone, Securitain can no longer assume it.
Connect with confidence
Review the read-only role and ExternalId model, then connect an account when your security team is ready.