// STEP-BY-STEP SETUP
Start your free AWS scan
Enter your email and connect your AWS account securely. Takes about 60 seconds. No credit card required.
1
Your email
2
Connect AWS
3
Get results
STEP 1 — YOUR EMAIL
STEP 2 — CONNECT YOUR AWS ACCOUNT
WHAT THIS DOES
Creates one read-only IAM role in your account — nothing else
Sends your Role ARN to Bastioneer automatically — no copy/paste required
Scan begins automatically — results arrive in your inbox within minutes
No changes are ever made to your infrastructure
IAM PERMISSIONS GRANTED
READ-ONLY ONLY
✓ ReadOnlyAccess — describe/list all resources
✓ CloudWatchReadOnlyAccess — read metrics only
✗ ec2:TerminateInstances — blocked
✗ rds:DeleteDBInstance — blocked
✗ s3:DeleteObject — blocked
✗ iam:* actions — blocked
✓ CloudWatchReadOnlyAccess — read metrics only
✗ ec2:TerminateInstances — blocked
✗ rds:DeleteDBInstance — blocked
✗ s3:DeleteObject — blocked
✗ iam:* actions — blocked
Your unique security token (External ID)
Token: bast-xxxxxxxx-xxxx — only Bastioneer can assume your role with this token. Even if someone else knew your account ID, they could not use your role without this token.
Credentials expire automatically — zero standing access
Bastioneer uses AWS STS temporary role assumption. Credentials are issued for a maximum of 1 hour and expire automatically when the scan completes — typically in 5–10 minutes. After that, Bastioneer has zero access to your account. No persistent connection is maintained. To run another scan, you would need to explicitly authorize it again.
Opens your AWS console — you review the template and click Deploy
STEP 3 — SCAN IN PROGRESS
Scanning your account...
Bastioneer is analyzing your AWS resources for waste and optimization opportunities.
EC2
RDS
S3
Elastic IPs
EBS Snapshots
Load Balancers
Results will be emailed to your address