Skip to main content

Single Account Setup

If you are working with a single AWS account or do not use AWS Organisations, Guardian Pro offers a simplified onboarding path. This guide walks you through the streamlined process for connecting a standalone account.

When to Use Single Account Setup

Choose this path if any of the following apply:

  • You have a single AWS account without AWS Organisations
  • You want to evaluate Guardian Pro on one account before expanding
  • Your organisation uses separate, unlinked AWS accounts rather than AWS Organisations
  • You are a startup or small team with a single production account
info

You can start with a single account and upgrade to multi-account monitoring later. Adding AWS Organisations support does not require re-onboarding -- you can connect your organisation from Settings > Accounts at any time.

Prerequisites

Before starting:

  • AWS Console access with permissions to deploy CloudFormation stacks
  • Administrator or PowerUser access in your target AWS account
  • A Guardian Pro account -- sign up via AWS Marketplace or directly at guardianpro.cloud

Setup Process

The single account setup has three steps and typically completes in 5-7 minutes.

Step 1: Deploy the Single Account Role

From the Guardian Pro onboarding wizard, select Single Account when prompted for your setup type.

Click Deploy Role to launch a CloudFormation stack in your AWS account. This stack creates a single IAM role (GuardianProRole) that provides both discovery and remediation access.

What the Role Includes

The single account role combines the functionality of the management and member roles used in multi-account setups:

Permission CategoryDescription
Resource discoveryRead-only access to describe and list resources across supported AWS services
Configuration readingRead security configurations, network rules, encryption settings, and IAM policies
Metrics and monitoringRead CloudWatch metrics for utilisation analysis
Cost dataRead cost and usage information for cost intelligence features
Remediation (optional)Modify resource configurations when you explicitly trigger a fix
warning

Remediation permissions are included but are never used automatically. Every remediation action requires you to review a preview, confirm the changes, and click Execute.

Deploying the Stack

  1. Click Deploy Role in the Guardian Pro wizard
  2. The AWS CloudFormation console opens with the template pre-loaded
  3. Review the stack name (default: GuardianProRole)
  4. Verify the External ID parameter is pre-filled -- this is unique to your Guardian Pro organisation
  5. Check the box acknowledging IAM resource creation
  6. Click Create Stack

Stack creation completes in approximately 60-90 seconds.

Security Controls

The single account role includes the same security protections as the multi-account roles:

  • External ID verification -- prevents confused deputy attacks
  • Least privilege permissions -- no * resource grants, no data-plane access
  • Time-limited sessions -- role assumption sessions expire after one hour
  • Full CloudTrail auditability -- every API call Guardian Pro makes is logged

For detailed permission information, see IAM Permissions Reference.

Step 2: Configure Users

After the role is deployed and verified, configure your Guardian Pro users:

  1. Add team members -- enter email addresses and display names
  2. Assign permission levels -- choose Read-Only, Standard, or Admin for each user
  3. Send invitations -- users receive a secure email link to create their accounts
tip

For a single-person setup, you can skip adding additional users. You are already set up as an Admin and can invite others later from Settings > Users.

See Users & Permissions for detailed guidance on permission levels and role mappings.

Step 3: Complete Setup

Click Complete Setup to finalise your configuration. Guardian Pro immediately begins:

  1. Resource discovery -- inventorying all resources in your account across all enabled regions
  2. Governance scanning -- evaluating your infrastructure against hundreds of automated checks
  3. Dashboard population -- displaying health scores, findings, and recommendations

Your first results typically appear on the dashboard within 5-10 minutes.

What You Get

With single account setup, you have access to the full Guardian Pro feature set:

FeatureAvailable
Resource discoveryYes -- all supported services and regions
Security scanningYes -- hundreds of automated checks
Cost intelligenceYes -- requires CUR setup (see below)
Compliance frameworksYes -- CIS, SOC 2, GDPR, Well-Architected
Architecture advisorYes -- risk radar, failure simulation, health scoring
AI assistantYes -- full conversational capabilities
Automated remediationYes -- with preview and confirmation
Rollback supportYes -- for supported remediation actions
Infrastructure wizardYes -- AI-powered template generation
NotificationsYes -- all channels (email, Slack, Teams)

Differences from Multi-Account Setup

While single account setup provides full feature coverage, there are some differences compared to multi-account:

Features Not Applicable

FeatureWhy
Organisation-wide viewsNo multi-account aggregation without Organisations
Account comparisonRequires multiple accounts to compare
Cross-account architecture mappingSingle account maps internal dependencies only
OU-based policiesOUs are an Organisations concept

Features That Work Differently

FeatureSingle Account Behaviour
Account switcherNot shown (only one account)
Dashboard aggregationShows single account data directly
Cost comparisonCompares time periods instead of accounts
note

These differences are cosmetic and do not limit your governance capabilities. Every check, scan, and analysis that works on multi-account also works on a single account.

Upgrading to Multi-Account

If your organisation adopts AWS Organisations later or you want to add more accounts, you can upgrade without re-onboarding:

Adding AWS Organisations

  1. Go to Settings > Accounts
  2. Click Connect Organisation
  3. Follow the Deploy Management Role and Deploy StackSets steps
  4. Your existing account data is preserved -- new accounts are simply added

Adding Individual Accounts

If you have additional standalone accounts (without Organisations):

  1. Go to Settings > Accounts
  2. Click Add Account
  3. Deploy the single account role in the new account
  4. Guardian Pro begins monitoring the new account immediately

After completing single account setup:

1. Explore Your Dashboard

Visit the Dashboard to see your health score, findings, and recommendations once the first scan completes.

2. Set Up Cost and Usage Reports

Configure CUR to unlock cost intelligence features:

  • Cost analysis and trending
  • Anomaly detection
  • Budget monitoring
  • Financial advisory (reserved instances, savings plans, rightsizing)

See CUR Setup Guide for instructions.

3. Subscribe to Compliance Frameworks

Activate the compliance frameworks relevant to your organisation from Settings > Frameworks. See Compliance for details.

4. Review Critical Findings

Once your first scan completes, head to the Action Centre and filter by Critical and High severity to address the most impactful findings first.

5. Configure Notifications

Set up alerts for critical findings and daily digests to stay informed. Configure in Settings > Notifications.

Troubleshooting

Role deployment failed

  1. Check the CloudFormation stack events in your AWS Console for error details
  2. Ensure you have iam:CreateRole and cloudformation:CreateStack permissions
  3. If a previous stack exists with the same name, delete it first and redeploy

Guardian Pro cannot assume the role

  1. Verify the CloudFormation stack status is CREATE_COMPLETE
  2. Check that the External ID in the stack matches your Guardian Pro organisation
  3. Ensure no SCPs or permission boundaries are blocking sts:AssumeRole

Scan not starting after setup

  1. Check the dashboard for a progress banner -- the scan may be running
  2. Navigate to Resources and click Run Discovery to trigger manually
  3. Verify account connectivity in Settings > Accounts