Adding Accounts
After your initial onboarding, you can connect additional AWS accounts to Guardian Pro at any time. Whether you have launched new accounts, acquired new workloads, or simply want to expand your governance coverage, Guardian Pro supports seamless account addition.
Two Ways to Add Accounts
Automatic Discovery (Recommended)
If you completed onboarding with the multi-account path and deployed StackSets, new accounts added to your AWS Organization are discovered and onboarded automatically.
How it works:
- You create a new account in your AWS Organization (or move an existing account into a monitored OU).
- The StackSet deployed during onboarding automatically deploys the Guardian Pro monitoring role to the new account.
- Guardian Pro detects the new account during its next synchronization cycle.
- The account appears in your account selector and begins its first scan.
Automatic discovery is the simplest and most reliable method. If you used StackSets during onboarding, this happens with zero effort on your part.
Manual Addition
For accounts that are not part of your AWS Organization, or if you need to connect an account outside the StackSet deployment scope, you can add accounts manually from Settings.
Steps:
- Navigate to Settings > Organization in Guardian Pro.
- Click Add Account.
- Enter the AWS Account ID (12-digit number) and a friendly Account Name.
- Guardian Pro provides a CloudFormation template URL. Open this URL in the AWS Console for the target account.
- Deploy the CloudFormation stack in the target account. This creates the necessary IAM role.
- Return to Guardian Pro and click Verify Connection.
- Guardian Pro validates that it can assume the role in the new account.
- The account is now connected and ready for its first scan.
Manual account addition requires you to have administrator access in the target AWS account to deploy the CloudFormation stack.
What Gets Deployed
When you add a new account, a single IAM role is created in that account. This role allows Guardian Pro to:
- Discover resources -- Read-only access to inventory AWS resources across all supported services.
- Run security checks -- Read-only access to evaluate resource configurations against best practices.
- Apply remediations (optional) -- Limited write access to fix specific misconfigurations. Write access is only used when you explicitly initiate a remediation action.
The role includes confused deputy protection to ensure only your Guardian Pro organization can assume it. No other Guardian Pro tenant can access your accounts.
For full details on what permissions are granted, see IAM Permissions.
Guardian Pro never stores your AWS credentials. All access is through cross-account IAM role assumption following AWS security best practices.
After Adding an Account
Once an account is connected, Guardian Pro immediately begins the onboarding process for that account:
First Scan
- Resource discovery runs automatically, inventorying all AWS resources across enabled regions.
- Security scanning evaluates every discovered resource against hundreds of automated checks.
- Architecture mapping builds a dependency graph of your infrastructure.
- Results appear on your dashboard and in the Action Centre within minutes.
Cost Data
Cost data for the new account becomes available once AWS Cost and Usage Reports (CUR) are configured in that account. If CUR is already configured in your management account with consolidated billing, cost data may already be available.
See CUR Setup for instructions.
Compliance
The new account is automatically assessed against all compliance frameworks you have subscribed to. Compliance scores update to include the new account's results.
Managing Connected Accounts
Viewing Account Status
Navigate to Settings > Organization to see all connected accounts and their statuses:
| Status | Meaning | Action Needed |
|---|---|---|
| Active | Fully connected, scans running normally | None |
| Pending | Role deployment in progress or not yet verified | Wait for deployment to complete, or verify manually |
| Error | Role cannot be assumed | Check IAM role exists and has correct trust policy |
| Disconnected | Account removed or role deleted | Re-add the account or redeploy the role |
Refreshing Account Connection
If an account shows an error status:
- Navigate to Settings > Organization.
- Select the affected account.
- Click Test Connection to verify the monitoring role.
- If the test fails, check the IAM Troubleshooting guide.
Removing an Account
To stop monitoring an account:
- Navigate to Settings > Organization.
- Select the account and click Remove.
- Confirm the removal.
Removing an account permanently deletes all Guardian Pro data associated with that account, including findings, cost history, compliance records, and scan results. This action cannot be undone.
After removing an account from Guardian Pro, you should also clean up the IAM role in the AWS account:
- StackSet-deployed accounts -- Remove the StackSet instance from the AWS Console, or the role will be redeployed automatically.
- Manually added accounts -- Delete the CloudFormation stack from the target account.
Limits and Quotas
| Plan | Maximum Accounts |
|---|---|
| Starter | Up to 5 accounts |
| Business | Up to 50 accounts |
| Enterprise | Unlimited accounts |
If you need to connect more accounts than your current plan allows, you can upgrade your subscription from Settings > Subscription or through the AWS Marketplace. See Subscription Plans for plan comparison.
Troubleshooting
CloudFormation Stack Failed to Deploy
- Ensure you have sufficient IAM permissions in the target account (see IAM Issues).
- Check the CloudFormation Events tab in the AWS Console for specific error messages.
- Verify that there is no existing Guardian Pro role that conflicts with the new deployment.
Account Shows Error After Deployment
- Verify the IAM role was created successfully in the target account.
- Check that the role's trust policy allows the Guardian Pro service to assume it.
- Ensure the external ID in the trust policy matches your Guardian Pro organization.
- See IAM Troubleshooting for step-by-step resolution.
Account Not Appearing After StackSet Deployment
- StackSet deployments can take a few minutes to propagate to all accounts.
- Check the StackSet status in the AWS Console to confirm deployment succeeded.
- Trigger a manual sync from Settings > Organization by clicking Refresh.
Next Steps
- Multi-Account Management -- Understand how Guardian Pro governs multiple accounts.
- Switching Accounts -- Navigate between your connected accounts.
- IAM Permissions -- Review the permissions granted to Guardian Pro.
- Onboarding Overview -- Revisit the full onboarding process.