IAM Role Setup

TroveSec never stores AWS access keys. It assumes a read-only IAM role in your account using STS — the same pattern AWS uses for all cross-account access.

How it works

1. You deploy a CloudFormation stack that creates a read-only IAM role in your account
2. TroveSec’s scanner calls sts:AssumeRole with your role_arn and a unique external_id
3. STS returns temporary credentials valid for 1 hour — only used during the scan
4. Credentials are never stored

The external_id prevents confused deputy attacks.

Deploy the CloudFormation stack

1. Go to Connections in your dashboard

   Click Add AWS Account → Launch CloudFormation.

   This opens the AWS CloudFormation console in a new tab with the template pre-loaded.

2. Review the stack

   The template creates one IAM role with these managed policies:

   • SecurityAudit — read access to security-relevant config across all services
   • ViewOnlyAccess — read access to resource metadata

   No write permissions are granted. No data leaves your account except what the scan engine finds.

3. Deploy the stack

   Click Create Stack. Deployment takes around 30 seconds.

4. Copy the role ARN

   Once the stack shows CREATE_COMPLETE, go to the Outputs tab. Copy the value for TrovesecRoleArn.

5. Paste the ARN into your dashboard

   Back in TroveSec → Connections → Add AWS Account, paste the ARN. TroveSec will verify the role can be assumed before saving.

   Caution

   If verification fails, confirm the CloudFormation stack deployed in the same AWS account the ARN references.