What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Security Checklist for Startups: The 15-Minute Setup

You just created an AWS account. You're excited to deploy your app. Security is the last thing on your mind — you'll get to it later, when you have time. Except later never comes, and six months from now you're managing production workloads on an account where the root user has no MFA, CloudTrail isn't enabled, and three developers share a single IAM access key.

This checklist is designed to fix that. It covers the highest-impact security actions for a new AWS account, ordered by how much risk each one eliminates per minute of effort. You can complete all of them in about 15 minutes.

The Checklist

Step 1: Enable MFA on the Root Account (2 minutes)

The root account has unrestricted access to everything in your AWS account. If someone compromises the root credentials, they own your entire infrastructure — and no IAM policy or SCP can stop them.

Open the IAM console. Click on "Root user" in the security recommendations. Add a virtual MFA device (use an authenticator app like Authy or 1Password). Store the recovery codes somewhere safe — not in the AWS account itself.

This single action eliminates the highest-risk attack vector for your account.

Step 2: Create an Admin IAM User and Stop Using Root (3 minutes)

The root account should never be used for daily operations. Create an IAM user with AdministratorAccess, enable MFA on that user, and use it for all console access going forward. Lock the root credentials in a safe and forget about them unless you need to change billing settings or close the account.

Even better: create an IAM Identity Center (SSO) user instead. SSO users get temporary credentials that expire automatically, which is more secure than long-lived IAM user credentials.

Step 3: Enable CloudTrail (2 minutes)

CloudTrail records every API call made in your account — who did what, when, and from where. Without CloudTrail, you have no audit trail. If something goes wrong, you're investigating blind.

Go to the CloudTrail console. Create a trail. Accept the defaults — management events, all regions, delivered to a new S3 bucket. Done. The free tier covers one trail with management events, so this costs nothing.

Step 4: Enable GuardDuty (1 minute)

GuardDuty is AWS's managed threat detection service. It analyzes CloudTrail, VPC Flow Logs, and DNS logs to detect credential compromise, unauthorized access, and malicious activity. Enable it in every region — yes, even regions you don't use, because attackers will use them.

The 30-day free trial gives you time to evaluate the cost. For most startups, it's $10-30/month. That's the cheapest security monitoring you'll find anywhere.

Step 5: Block Public Access on S3 (1 minute)

S3 bucket misconfigurations are one of the most common causes of data breaches. AWS now blocks public access by default on new buckets, but older accounts or buckets created by certain tools may not have this setting.

Go to the S3 console. Click "Block Public Access settings for this account." Enable all four block public access settings at the account level. This prevents any bucket in the account from being accidentally made public.

Step 6: Set Up a Budget Alert (2 minutes)

Go to AWS Budgets. Create a monthly cost budget at 150% of what you expect to spend. Add email notifications at 80%, 100%, and 150% thresholds. This is your financial early warning system — it won't prevent a billing disaster, but it'll make sure you hear about it quickly.

Step 7: Delete Unused Access Keys (2 minutes)

Run this command:

aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-access-keys --user-name {} \
  --query 'AccessKeyMetadata[?Status==`Active`].[UserName,AccessKeyId,CreateDate]' \
  --output text

Review every active access key. If you don't know what it's for, deactivate it and wait a week to see if anything breaks. If nothing breaks, delete it. Long-lived access keys that nobody remembers creating are the #1 credential compromise vector for startups.

Step 8: Enable AWS Config (2 minutes)

AWS Config continuously records the configuration of your AWS resources. It's the foundation for compliance monitoring — it tells you when something changes and whether the change violates your security rules.

Enable Config with the default settings. Add the "Conformance Pack" for CIS AWS Foundations Benchmark to get an instant compliance scorecard. The cost is minimal for small accounts — typically under $5/month.

What This Covers

In 15 minutes, you've eliminated the five most common attack patterns for startup AWS accounts: root account compromise (MFA + separate admin user), credential theft (access key cleanup), undetected threats (GuardDuty), data exposure (S3 public access block), billing surprises (Budget alerts), and blind spots (CloudTrail + Config).

This is not a comprehensive security program. It's the minimum viable security posture for a startup account — the 20% of effort that eliminates 80% of the risk.

The Automated Version

This checklist works when you remember to do it, and when you keep doing it as your account grows. What happens when a new team member creates an IAM user without MFA? When someone opens a security group to 0.0.0.0/0 for debugging and forgets to close it? When a new S3 bucket gets created without encryption?

Vigilare runs this checklist — and 200 more checks — automatically, every five minutes. It alerts you when something drifts from your security baseline and gives you a single risk score that tells you whether your account needs attention right now. Start a free 14-day trial.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO