AWS onboarding

Set up a secure cross-account IAM role, validate the External ID, and connect AWS without saving long-lived keys.

CloudFormation setup

Use the ARCO Governance onboarding template to create a read-only scanner role, configure the External ID, and return the role ARN to the workspace.

Create the stack in the target AWS account.

Confirm the External ID shown in ARCO.

Copy the generated role ARN back into AWS Accounts.

Run validation before saving the account.

Teams managing AWS with Terraform can create the same cross-account IAM role and trust policy through infrastructure code.

Use the provided scanner role naming convention.

Apply read-only scanner permissions.

Add the External ID condition to the trust policy.

Store the role ARN for onboarding.

Manual setup is available when change control requires reviewing each IAM policy statement before deployment.

Create an IAM role trusted by the ARCO platform account.

Add the External ID condition.

Attach scanner permissions only.

Validate the role from the ARCO workspace before saving.

Most connection issues come from a missing External ID condition, an incorrect role ARN, or incomplete scanner permissions.

Wrong account ID in the role ARN.

External ID mismatch.

Trust policy does not allow the ARCO platform account.

Permission boundary blocks read APIs.

Continue from this guide into the ARCO Governance workspace.

Reports and readiness

Understand readiness views, report types, exports, and plan limits.

What ARCO scans

Review AWS posture checks, framework mapping, findings, evidence signals, and readiness states.

Pricing and plans

Compare Starter, Growth, Scale, scan limits, export limits, and evidence ZIP availability.