Prerequisites
Before setting up Guardian Pro, review the following requirements to ensure a smooth onboarding experience. Most AWS environments already meet these prerequisites -- this page helps you confirm that everything is in place.
AWS Account Requirements
AWS Organization (Recommended)
Guardian Pro works best with AWS Organizations, which enables automatic discovery of all member accounts and centralized role deployment.
| Requirement | Details |
|---|---|
| AWS Organization | An active AWS Organization with at least one member account |
| Management account access | Administrative access to the Organization's management account |
| Trusted access for StackSets | Must be enabled (Guardian Pro can guide you through this during onboarding) |
If you are managing a single AWS account without an Organization, Guardian Pro supports that too. You can connect a standalone account and add Organization support later. See Connecting Your AWS Account for both paths.
Single Account Setup
For environments without AWS Organizations, the minimum requirements are:
| Requirement | Details |
|---|---|
| AWS account | An active AWS account with resources to scan |
| IAM permissions | Ability to create IAM roles in the account |
| Account ID | Your 12-digit AWS account ID |
IAM Requirements
Guardian Pro requires IAM roles in your AWS accounts to perform discovery, scanning, and optional remediation. You need sufficient IAM permissions to create these roles during onboarding.
What You Need to Create
- Management role (Organizations setup) -- A read-only role in your management account for Organization discovery. Guardian Pro provides the CloudFormation template.
- Member roles (Organizations setup) -- Lightweight roles deployed to each member account via StackSets. These roles grant read access for resource discovery and scanning.
- Single account role (standalone setup) -- A single IAM role combining discovery and scanning permissions.
You do not need to manually write IAM policies. Guardian Pro provides pre-built CloudFormation templates that create all necessary roles with least-privilege permissions. The onboarding wizard walks you through deploying them.
Required IAM Capabilities
The person performing the initial setup needs the ability to:
- Create IAM roles and policies
- Deploy CloudFormation stacks
- Deploy CloudFormation StackSets (for multi-account setups)
- Enable trusted access for StackSets in AWS Organizations (if not already enabled)
If your organization uses AWS Service Control Policies (SCPs), make sure they do not block the creation of IAM roles or CloudFormation StackSets in the management account. Contact your AWS administrator if you are unsure.
AWS Cost and Usage Reports (Optional)
Guardian Pro's cost intelligence features deliver the deepest insights when backed by AWS Cost and Usage Reports (CUR).
Why CUR Matters
CUR provides granular, line-item billing data that enables:
- Detailed service-level and resource-level cost breakdowns
- Accurate anomaly detection and trend analysis
- Rightsizing and reservation recommendations based on actual usage
- Historical spending analysis across custom time periods
CUR Configuration
If you want to use cost intelligence features, configure a CUR with the following settings:
| Setting | Value |
|---|---|
| Report format | Apache Parquet |
| Compression | Parquet (default) |
| Time granularity | Hourly (recommended) or Daily |
| Include resource IDs | Yes |
| S3 bucket | Any bucket in the same account as the CUR |
| S3 path prefix | Any prefix (Guardian Pro will discover it automatically) |
CUR setup is optional. Guardian Pro's security scanning, compliance, architecture, and AI assistant features work without CUR data. You can enable CUR at any time and Guardian Pro will begin ingesting cost data automatically.
CUR Data Availability
After enabling a CUR for the first time, AWS typically takes 24-48 hours to deliver the initial report. Guardian Pro will show the CUR status as "Pending Data" during this period, and cost features will become available once the first report arrives.
Network Requirements
Guardian Pro is a fully hosted SaaS platform. There are no agents to install, no VPN connections to configure, and no inbound network rules to open.
Outbound Connectivity
Guardian Pro communicates with your AWS accounts through the IAM roles created during onboarding. All interactions use standard AWS API endpoints over HTTPS. No special network configuration is required.
Firewall and Proxy Considerations
If your organization uses a corporate proxy or firewall for outbound web traffic, ensure that the following domains are accessible from user browsers:
| Domain | Purpose |
|---|---|
*.guardianpro.cloud | Guardian Pro console and API |
cognito-idp.*.amazonaws.com | Authentication |
*.amazonaws.com | AWS Marketplace subscription management |
Browser Support
Guardian Pro's web console is supported on modern browsers:
| Browser | Minimum Version |
|---|---|
| Google Chrome | 90+ |
| Mozilla Firefox | 90+ |
| Microsoft Edge | 90+ (Chromium-based) |
| Safari | 15+ |
Internet Explorer is not supported. If your organization mandates IE, please contact Guardian Pro support to discuss options.
Browser Configuration
- JavaScript must be enabled.
- Cookies must be enabled for the
guardianpro.clouddomain. - WebSocket connections must be allowed (used for real-time updates and the AI assistant).
- Pop-up blockers should allow pop-ups from
guardianpro.cloud(used during OAuth flows for the Infrastructure Wizard).
Subscription Tiers
Guardian Pro is available in three tiers, each with different feature sets and usage limits:
| Feature | Starter | Business | Enterprise |
|---|---|---|---|
| AWS accounts | Up to 5 | Up to 50 | Unlimited |
| Security scanning | Included | Included | Included |
| Cost intelligence | Basic | Full | Full |
| Compliance frameworks | 2 | All | All + custom |
| Architecture advisor | Basic | Full | Full |
| AI assistant | Standard usage | Extended usage | Unlimited |
| Automated remediation | Limited | Full | Full |
| Infrastructure wizard | Limited | Full | Full |
| Support | Community | Business hours | 24/7 priority |
All tiers include the core security scanning and compliance capabilities. Higher tiers unlock deeper analytics, higher usage limits, and premium support. You can upgrade your tier at any time through the AWS Marketplace.
Pre-Onboarding Checklist
Use this checklist to confirm you are ready to begin setup:
- You have access to the AWS Management Console for your management account (or standalone account)
- You have IAM permissions to create roles, policies, and CloudFormation stacks
- You know your AWS Organization ID (if using Organizations)
- You have subscribed to Guardian Pro through the AWS Marketplace
- Your browser meets the minimum version requirements
- (Optional) You have configured an AWS Cost and Usage Report
Once you have confirmed these prerequisites, proceed to Connecting Your AWS Account to begin the setup process.