Onboarding Overview
Guardian Pro uses a guided onboarding wizard to connect your AWS environment securely and start delivering governance insights within minutes. The wizard walks you through each step, validates your configuration in real time, and ensures everything is properly set up before your first scan begins.
Two Setup Paths
Guardian Pro supports two onboarding paths depending on your AWS environment:
Multi-Account (AWS Organisations)
The recommended path for organisations managing multiple AWS accounts. This path automatically discovers your account structure and deploys monitoring roles across all member accounts.
| Step | Description | Time |
|---|---|---|
| Deploy Management Role | Deploy a read-only role in your management account | 2-3 min |
| Discover Organisation | Auto-discover accounts and organisational units | 1-2 min |
| Deploy StackSets | Deploy monitoring roles to all member accounts | 3-5 min |
| Users & Permissions | Configure users and map permissions | 2-3 min |
| Complete Setup | Verify and launch your first scan | 1 min |
Single Account
A simplified path for teams working with a single AWS account or those not using AWS Organisations. See Single Account Setup for the streamlined process.
Before You Begin
Ensure you have the following ready before starting the onboarding process:
- AWS Management Console access with permissions to deploy CloudFormation stacks
- Administrator or PowerUser access in your AWS management account (for multi-account) or target account (for single account)
- A Guardian Pro account -- sign up via AWS Marketplace or directly at guardianpro.cloud
Required AWS Permissions
To complete onboarding, the IAM user or role you use in the AWS Console needs the following permissions:
- CloudFormation:
CreateStack,DescribeStacks,DescribeStackEvents - IAM:
CreateRole,PutRolePolicy,AttachRolePolicy(for the Guardian Pro role) - Organisations (multi-account only):
ListAccounts,DescribeOrganization - CloudFormation StackSets (multi-account only):
CreateStackSet,CreateStackInstances
If you use AWS SSO (IAM Identity Center), the AdministratorAccess permission set includes everything needed. For least-privilege setups, see IAM Permissions Reference.
Expected Time
Most organisations complete the full onboarding process in 10-15 minutes. The actual time depends on:
- Number of accounts: StackSet deployment scales with account count, but runs in parallel
- Network conditions: CloudFormation stack creation typically completes in under 2 minutes
- User configuration: Mapping permissions for large teams may take a few extra minutes
What Gets Deployed
During onboarding, Guardian Pro deploys lightweight IAM roles into your AWS accounts. These roles grant Guardian Pro the minimum permissions needed to discover resources, evaluate security posture, and (optionally) remediate findings.
Guardian Pro never stores your AWS credentials. All access is through cross-account IAM roles with external ID verification, following AWS security best practices. See Security & Trust for full details.
Role Summary
| Role | Deployed To | Purpose |
|---|---|---|
| Management Role | Management account | Read-only access to AWS Organisations (list accounts, describe OUs) |
| Member Role | Each member account | Read access for resource discovery and scanning; optional write access for remediation |
| Single Account Role | Standalone account | Combined read and remediation access for single-account setups |
How Onboarding Works
- You deploy a CloudFormation stack in your AWS account -- a single click from the Guardian Pro console
- Guardian Pro assumes the created role to discover your environment
- Resources are inventoried and your first governance scan runs automatically
- Results appear on your dashboard within minutes of completing setup
The entire process is non-destructive. Guardian Pro operates in read-only mode by default, and remediation actions require explicit opt-in and confirmation.
Resuming Onboarding
If you need to pause and return later, Guardian Pro saves your progress automatically. When you log back in, you will be returned to the step where you left off.
Your onboarding session persists for 7 days. If you need to restart from the beginning, contact support to reset your onboarding state.
Next Steps
Ready to get started? Choose your path:
- Multi-account: Begin with Deploy Management Role
- Single account: Jump to Single Account Setup
- Already onboarded? Head to the Dashboard Overview