Connecting Your AWS Account

Deploy the read-only CloudFormation template and verify your connection in under 5 minutes.

Read-only IAM role only. This template cannot modify, delete, or create any resources in your account. Revoke access anytime by deleting the stack.

What Gets Created in Your Account

IAM Role (RemediGeniusHQ-ReadOnly)

Read-only role with SecurityAudit + ReadOnlyAccess AWS managed policies. Trusts RemediGenius account ID with your unique ExternalID.

KMS Key (Customer-Controlled)

You own this key. Encrypts all scan data. Delete it anytime to make our stored data permanently unreadable.

S3 Bucket (scan results)

Encrypted with YOUR KMS key. Public access blocked. Objects auto-deleted after 90 days. Only the IAM role can read from it.

Native Security Tools (optional)

Enables Security Hub, Config, GuardDuty, and Access Analyzer if not already active. Set EnableNativeTools=false to skip.

We can read

Security Hub findings
Config compliance states
GuardDuty detections
Resource metadata (names, tags)

We cannot access

S3 object contents
RDS / database data
Secrets Manager values
EC2 file systems

Step-by-Step Guide

1
Start the onboarding wizard
After logging in, click 'Connect AWS Account' from the dashboard or go to Cloud Accounts → Add Account.
2
Click 'Launch in AWS Console'
The wizard generates a pre-filled CloudFormation URL with your unique ExternalID and our account ID. It opens your AWS Console with all parameters filled in.
3
Create the CloudFormation stack
In your AWS Console, review the template parameters and click 'Create Stack'. The stack takes 2–5 minutes to complete.
4
Copy the Role ARN from Outputs
Once the stack shows CREATE_COMPLETE, go to the Outputs tab. Copy the value next to 'RemediGeniusRoleArn'.
```
arn:aws:iam::123456789012:role/RemediGeniusHQ-ReadOnly
```
5
Paste the Role ARN in RemediGenius
Return to the RemediGenius wizard, paste the Role ARN, and click 'Verify Connection'. We'll confirm the connection is working.
6
Run your first scan
Connection verified! Click 'Run Scan' to pull your latest security findings.

Estimated AWS Cost

Enabling native security tools incurs a small cost paid directly to AWS (separate from your RemediGenius subscription).

Service	Estimated Cost	Notes
Security Hub	$0–5/mo	First 10,000 findings/mo free
AWS Config	$2–10/mo	$0.003 per config item recorded
GuardDuty	$3–15/mo	Based on data volume analysed
Total	$5–25/mo	For a typical AWS account

Troubleshooting

AWS Organizations users: If you use AWS Organizations with Security Hub delegated admin, you can connect once and monitor all member accounts. See our FAQ for details.

← Getting Started Understanding Findings

Connecting Your AWS Account

What Gets Created in Your Account

Step-by-Step Guide

Estimated AWS Cost

Troubleshooting

CloudFormation stack fails with IAM error

Connection verification fails

SCP is blocking the connection

Region mismatch error

How to disconnect