Skip to main content

Getting Started: Connect Your AWS Account

Connect your AWS account to CloudArq in minutes and run your first infrastructure audit. We use read-only access, so your infrastructure is never modified.

Prerequisites

Before you start, make sure you have:

  • AWS Account

    An AWS account with admin or sufficient permissions to create IAM roles

  • CloudArq Account

    A CloudArq account (free tier is available)

Step 1: Create IAM Role

1

Use CloudFormation Template

CloudArq provides a CloudFormation template that creates a read-only IAM role with exactly the permissions needed for audits. This is the recommended and easiest approach.

The template creates:

  • A read-only IAM role (no create, modify, or delete permissions)
  • External ID for security (prevents confused deputy attacks)
  • Trust relationship with CloudArq's AWS account

You'll find the template link in the Connections section when you add a new connection.

Step 2: Add Connection in CloudArq

2

Register Your AWS Account

  1. Navigate to Connections

    Click the Connections menu in your CloudArq dashboard

  2. Click Add Connection

    Select "Add New AWS Connection"

  3. Paste the IAM Role ARN

    Copy the role ARN from your AWS account (format: arn:aws:iam::123456789012:role/CloudArqRole) and paste it into CloudArq

  4. Save the Connection

    Click Save. CloudArq verifies the role can be assumed

Step 3: Run Your First Audit

3

Kick Off Your Audit

  1. Go to Dashboard

    From the dashboard, click "Run New Audit"

  2. Select Your Connection

    Choose the AWS account you just added

  3. Run the Audit

    Click "Run Audit". CloudArq will begin auditing your infrastructure

  4. Wait for Results

    Most audits complete in 2–5 minutes

What Happens During a Scan

5 AWS Regions Scanned by Default

us-east-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1

169 Security & Operations Checks

Covering 30+ AWS services across Security, Cost Optimization, Reliability, Performance Efficiency, Operational Excellence, and Sustainability

Read-Only API Calls

CloudArq makes only read-only API calls to your AWS account. No resources are created, modified, or deleted. After the scan, temporary credentials are discarded.

Results in 2-5 Minutes

You'll see your Audit Score, findings grouped by severity, and remediation guidance

Troubleshooting

Invalid Credentials Error

If you see "Invalid credentials" or "Unable to assume role":

  • Verify the IAM Role ARN is copied exactly (no extra spaces)
  • Check that the CloudFormation stack deployed successfully in AWS
  • Ensure you used the CloudArq-provided CloudFormation template

Permission Denied

If a scan fails with permission errors for specific services:

  • The CloudFormation template provides all necessary permissions
  • Check if service control policies (SCPs) are restricting access
  • Review CloudArq's documentation for the specific AWS service

Region Not Scanned

If you need scans for regions outside the default 5:

Contact support at [email protected] to request additional regions (Max tier only).

Ready to start?

Your first scan is free. Once you understand your audit score and key findings, explore our plans to unlock advanced features like AI remediation, compliance mapping, and API access.

Go to Connections