IAM Permissions
Guardian Pro connects to your AWS accounts through cross-account IAM roles. These roles are created during onboarding and follow the principle of least privilege -- Guardian Pro only requests the permissions it needs, and write access is strictly limited to explicit remediation actions you initiate.
This page explains what permissions Guardian Pro requests, why each is needed, and the security controls in place to protect your accounts.
Permission Model
Guardian Pro uses a tiered permission model:
| Tier | Purpose | When Used |
|---|---|---|
| Read-Only | Resource discovery and security scanning | Every scan cycle -- runs automatically on schedule |
| Limited Write | Automated remediation of specific findings | Only when you explicitly click "Fix" on a finding |
| Organization Read | AWS Organization structure discovery | During onboarding and periodic account sync |
Guardian Pro never requests administrator access. Write permissions are narrowly scoped to the specific API actions needed for each remediation, and are only invoked when you explicitly approve a remediation action.
Read-Only Permissions
The majority of Guardian Pro's operations are read-only. These permissions allow Guardian Pro to:
Resource Discovery
Guardian Pro inventories your AWS resources to build a complete picture of your infrastructure. Discovery permissions cover all supported AWS services, including:
- Compute -- Describe and list instances, functions, containers, and auto-scaling configurations
- Networking -- Describe VPCs, subnets, security groups, load balancers, and DNS records
- Storage -- Describe and list buckets, volumes, file systems, and their configurations
- Databases -- Describe database instances, clusters, and their security configurations
- Identity -- List users, roles, policies, and access keys (metadata only -- never credential values)
- Security -- Describe encryption settings, certificate status, and logging configurations
- Monitoring -- Describe alarms, log groups, and trail configurations
Security Scanning
After discovery, Guardian Pro evaluates resource configurations against hundreds of best-practice checks. This requires the same read-only permissions used for discovery, plus access to configuration details such as:
- Encryption settings (at rest and in transit)
- Public accessibility flags
- Logging and monitoring configuration
- Network access rules and security group rules
- IAM policy attachments and trust relationships
Guardian Pro reads resource configurations, not your data. For example, Guardian Pro checks whether a storage bucket has encryption enabled, but never reads the contents of the bucket.
Write Permissions (Remediation)
Write permissions are only used when you explicitly initiate a remediation action. They are never exercised automatically or during scanning.
How Write Access Works
- You review a finding in the Action Centre.
- You click Fix to preview the remediation.
- Guardian Pro shows exactly what will be changed before you confirm.
- Only after you confirm does Guardian Pro assume the role with write permissions and apply the fix.
Scope of Write Permissions
Write permissions are scoped to the specific API actions required for remediation. Examples include:
- Enabling encryption on a resource that lacks it
- Updating a security group rule to restrict overly permissive access
- Enabling logging on a service where it is disabled
- Enabling versioning on a storage bucket
- Modifying access policies to follow least-privilege principles
Each remediation action targets a specific resource and a specific configuration change. Guardian Pro cannot perform arbitrary write operations outside of the defined remediation strategies.
If your organization's security policies do not permit automated write access, you can use Guardian Pro in read-only mode. All findings will include manual remediation steps that your team can follow independently in the AWS Console.
Organization Permissions
For multi-account setups, Guardian Pro requests limited organization-level permissions in your management account:
- List accounts -- Discover all accounts in your AWS Organization
- Describe organization -- Understand your OU structure
- List organizational units -- Map your account hierarchy
These permissions are read-only and are used exclusively for account discovery. Guardian Pro never modifies your Organization configuration.
Confused Deputy Protection
Guardian Pro implements confused deputy protection on all cross-account roles using an External ID. This is an AWS-recommended security mechanism that ensures:
- Only your Guardian Pro organization can assume the roles in your AWS accounts.
- No other Guardian Pro tenant can assume your roles, even if they knew the role ARN.
- The external ID is unique to your organization and verified on every role assumption.
The external ID is automatically configured during onboarding. You do not need to manage it manually. It is embedded in both the CloudFormation templates and the role trust policies.
Role Types
Guardian Pro deploys different role types depending on your setup:
Management Account Role
- Deployed to: Your AWS management account
- Permissions: Organization read-only (list accounts, describe OUs)
- Used for: Account discovery and synchronization
- No write permissions of any kind
Member Account Role
- Deployed to: Each member account via StackSets
- Permissions: Read-only for scanning, limited write for remediation
- Used for: Resource discovery, security scanning, and remediation
- Write permissions are optional and only used when you initiate fixes
Single Account Role
- Deployed to: Standalone accounts not in an AWS Organization
- Permissions: Combined read and optional write, equivalent to the member role
- Used for: All Guardian Pro operations in a single-account setup
Reviewing Deployed Permissions
You can inspect the exact permissions granted to Guardian Pro at any time:
- Open the AWS Console for the account in question.
- Navigate to IAM > Roles.
- Search for the Guardian Pro role (the role name includes "GuardianPro").
- Review the attached policies to see every permission granted.
The IAM role is deployed via CloudFormation, so you can also review the template in the CloudFormation stack's Template tab.
Revoking Access
To immediately revoke Guardian Pro's access to an account:
- Navigate to IAM > Roles in the AWS Console for the target account.
- Delete the Guardian Pro role.
- Guardian Pro will no longer be able to access that account.
Alternatively, remove the account from Guardian Pro in Settings > Organization, and then delete the CloudFormation stack.
Revoking access immediately stops all scanning and monitoring for that account. Historical data in Guardian Pro will be retained until you formally remove the account.
Frequently Asked Questions
Can Guardian Pro access my data (files, database contents, secrets)? No. Guardian Pro reads resource configurations and metadata only. It checks whether encryption is enabled on a bucket, but never reads the bucket's contents. It checks whether a secret exists and is rotated, but never retrieves secret values.
Can I use Guardian Pro without granting write permissions? Yes. Write permissions are optional. You can deploy the read-only version of the role and use Guardian Pro purely for scanning and reporting. All findings include manual remediation steps.
What happens if I modify the IAM role manually? Guardian Pro will continue to operate with whatever permissions remain. If you remove required read permissions, some checks may fail and report errors. If you remove write permissions, remediation actions will fail with a clear error message.
Next Steps
- Data Privacy -- Learn how Guardian Pro handles your data.
- Audit Logging -- Track every action Guardian Pro takes.
- Onboarding Overview -- Revisit the role deployment process.
- IAM Troubleshooting -- Resolve permission-related issues.