What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

Vigilare + Terraform: Infrastructure-as-Code Setup Walkthrough

Vigilare connects to your AWS account through a read-only IAM role — no agents, no compute resources, no changes to your existing infrastructure. The recommended way to deploy this role is with Terraform, so your Vigilare integration is versioned, repeatable, and manageable alongside the rest of your infrastructure code.

Here's the complete walkthrough.

Prerequisites

Terraform v1.0+ installed
AWS credentials configured (CLI profile, environment variables, or IAM role)
A Vigilare account (sign up at vigilare.io — the external ID is generated during signup)

Step 1: Add the Vigilare Module

In your Terraform configuration directory, create a new file or add to an existing one:

module "vigilare" {
  source  = "vigilare/monitor/aws"
  version = "~> 2.0"

  external_id = var.vigilare_external_id
}

variable "vigilare_external_id" {
  description = "External ID from Vigilare dashboard for cross-account role assumption"
  type        = string
  sensitive   = true
}

The module creates two resources: an IAM role with a trust policy that allows Vigilare's AWS account to assume it (using the external ID for security), and an IAM policy that grants read-only access to the AWS services Vigilare monitors (CloudTrail, GuardDuty, Config, Cost Explorer, SES, Service Quotas, Health).

Step 2: Store the External ID Securely

The external ID is a secret that prevents confused deputy attacks. Don't hardcode it in your Terraform files. Use one of these approaches:

Terraform variables file (gitignored):

# terraform.tfvars (add to .gitignore)
vigilare_external_id = "your-external-id-from-dashboard"

Environment variable:

export TF_VAR_vigilare_external_id="your-external-id-from-dashboard"
terraform apply

AWS Secrets Manager or SSM Parameter Store: For production environments, store the external ID in Secrets Manager and reference it via a data source.

Step 3: Review and Apply

terraform init    # Download the module
terraform plan    # Review what will be created
terraform apply   # Create the IAM role and policy

Review the plan output carefully. You should see exactly two resources being created: aws_iam_role.vigilare and aws_iam_policy.vigilare_readonly. No EC2 instances, no Lambda functions, no compute resources of any kind.

Step 4: Verify in Vigilare

After terraform apply completes, go back to the Vigilare dashboard. Click "Verify Connection" on the account you're adding. Vigilare will attempt to assume the newly created role. If successful, the initial scan begins immediately — you'll see your risk score and first findings within 2-3 minutes.

What the Module Creates

For full transparency, here's what the Terraform module deploys:

IAM Role: A role named VigilareMonitorRole with a trust policy that allows Vigilare's AWS account to assume it. The trust policy requires the external ID, which prevents any other AWS account from assuming the role even if they know the role ARN.

IAM Policy: A policy attached to the role with read-only permissions for specific services. The policy includes guardduty:Get*, guardduty:List* for security findings; config:Describe*, config:Get* for compliance data; ce:GetCostAndUsage, ce:GetCostForecast for billing; ses:GetAccountSendingEnabled, ses:GetSendQuota for SES reputation; servicequotas:Get*, servicequotas:List* for quota monitoring; health:Describe* for account health events; and iam:Get*, iam:List* for IAM configuration analysis.

The policy does not include any write permissions. Vigilare cannot modify, create, or delete any resources in your account.

Multi-Account Deployment

If you manage multiple AWS accounts, deploy the module in each account. Use Terraform workspaces or separate state files per account:

# For each account
module "vigilare" {
  source  = "vigilare/monitor/aws"
  version = "~> 2.0"

  providers = {
    aws = aws.production  # or aws.staging, aws.client_acme
  }

  external_id = var.vigilare_external_id
}

Each account appears as a separate entry in your Vigilare dashboard with its own risk score, findings, and billing data.

Updating and Removing

Updating: When Vigilare releases a new module version (to support new monitoring capabilities), update the version constraint and run terraform apply. The role ARN stays the same — no reconfiguration needed in the Vigilare dashboard.

Removing: Run terraform destroy targeting the module. This deletes the IAM role and policy. Vigilare will detect the disconnection and mark the account as disconnected in your dashboard.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team