AWS · CloudFormation

Launch Transilienceon your AWS account

One CloudFormation stack creates a read-only IAM role that Transilience assumes via OpenID Connect federation, with no long-lived keys. Pick the tier that matches how much you want Transilience to do.

STS · OIDC trust, no shared secrets~3 minutes to installNeeds AWS admin with IAM rights
How It Works

Three clicks and you're connected

01

Pick a tier

Start with Audit if you only need posture checks, or jump straight to Vulnerabilities, Logs, or Host Configuration depending on how much you want Transilience to do.

02

Launch in the AWS console

Click Launch Stack. AWS opens CloudFormation pre-populated with the template URL and stack name. Enter your email and company name.

03

Create the stack

Acknowledge the IAM capabilities, click Create stack, and the account auto-registers with Transilience. You'll see it appear inside the app within a minute.

Pick a Template

Choose how much access to grant

Each tier stacks on the one before it. You can upgrade later by updating the same stack with a higher tier's template URL.

Vulnerabilities

Adds vulnerability scanning & broad read access

Layers ECR image scanning, Inspector / Security Hub / GuardDuty / Macie findings, S3 configuration review, CloudWatch Logs & VPC describe, SSM inventory, and Cost Explorer on top of the SecurityAudit baseline.

Best for: Most customers. Pulls together every read-only vulnerability and posture signal (container image scans, AWS-native finding services, and configuration evidence) without granting any write access.

Includes

  • Everything in Audit
  • ECR image vulnerability scanning
  • Inspector / Security Hub / GuardDuty / Macie findings
  • S3 & VPC configuration review
  • CloudWatch Logs read
  • SSM read & inventory
  • Cost Explorer & budgets
Launch Stack in AWSStack name: transilience-compliance · Region: us-east-1
Role purpose, permissions & trust policy· 6 policies · 0 write · 6 read-only
TransilienceComplianceRole· 6 policies · 0 write · 6 read-only

Role purpose: Collecting compliance evidence from AWS accounts and monitoring. This role is assumed by the Transilience platform to assess security posture, gather audit artifacts, and run configuration checks across your AWS environment.

Attached policies

PolicyAccessPurposePermissionsScope
SecurityAudit
AWS Managed
READCollect compliance evidence across AWS services for monitoring and audit.
  • IAM, EC2, RDS, Lambda, Config
  • S3, CloudFormation, CloudWatch
  • Broad read across most AWS services
Resource: *
Transilience-ECR-S3-Read
Customer Managed
READVulnerability scanning of container images and reading S3 bucket configurations.
  • ECR: auth token, images, repos, scan findings, lifecycle & repo policies
  • S3: bucket location, policy, ACL, versioning, tagging, logging, encryption, CORS, replication, object lock
  • S3: ListBucket, ListAllMyBuckets
Resource: *
Transilience-Logs-VPC-Read
Customer Managed
READReading logs for compliance monitoring and network configuration evidence.
  • CloudWatch Logs: log groups, streams, events, metric filters, subscriptions
  • EC2/VPC: flow logs, VPCs, subnets, security groups, NACLs, route tables
  • EC2/VPC: NAT/internet gateways, transit gateways, instances, tags
Resource: *
Transilience-Security-Services-Read
Customer Managed
READCollecting compliance evidence from AWS security services.
  • Inspector v2: findings, coverage, members, config
  • Security Hub: findings, insights, standards, controls
  • GuardDuty: findings, detectors, members
  • Macie: findings, bucket stats, session
  • Access Analyzer & Detective: list/get all
  • Account: alternate contacts
Resource: *
Transilience-SSM-Read
Customer Managed
READReading instance configuration and patch state as compliance evidence.
  • Instances: describe info, properties, connection status
  • Inventory: get inventory, schema, entries
  • Patches: instance patches, patch states, baselines, patch groups
  • Commands: list commands & invocations, get invocation
  • Sessions: describe sessions
  • Documents: list, describe, get documents
  • Parameters: get/describe parameters & history
  • Associations: list, describe, execution details
  • Automation: describe/get executions & steps
  • Maintenance Windows: describe/get windows, targets, tasks, executions
  • Compliance: resource summaries, items, compliance summaries
Resource: *
Transilience-Cost-Explorer
Customer Managed
READCost analysis of compliance runs and service usage.
  • Cost Explorer: cost/usage, forecasts, reservations, savings plans, anomalies, tags
  • Cost & Usage Reports: describe report definitions
  • Budgets: view budgets, describe actions & history
  • Billing: data, details, preferences, credits, IAM access
Resource: *

Stack parameters you'll enter

  • CustomerEmailEmail used to confirm onboarding for this account. Validated against a standard email regex by CloudFormation.
  • CustomerNameYour company or organization name (2-100 characters). Used as the display label inside the Transilience app.

Trust model

  • Trust uses OpenID Connect federation: Transilience exchanges a short-lived identity token for temporary AWS credentials via sts:AssumeRoleWithWebIdentity. No access key or shared secret is ever issued.
  • The CloudFormation stack creates the OIDC identity provider in your account as part of the install. You can delete it any time by deleting the stack.
  • The role's trust policy pins the audience claim and a subject-prefix claim so only Transilience's identity can assume it, not other workloads federated through the same provider.
  • Maximum session duration is one hour. Credentials are never persisted server-side.

The literal trust policy values are in the CloudFormation template. Click "View raw CloudFormation YAML" below if you need to inspect them before deploying.

View raw CloudFormation YAML·Canonical role-detail doc
Compare

What you get at each tier

CapabilityAuditVulnerabilitiesLogsHost Configuration
AWS SecurityAudit (config & posture)
ECR container image scanning
S3 configuration review
CloudWatch Logs & VPC describe
Security Hub / GuardDuty / Inspector findings
SSM inventory & patch state (read)
Cost Explorer & budgets
CloudTrail event lookup
CloudTrail S3 log bucket read
SSM run-command for host config (write)
FAQ

Common questions

  • What region does the stack deploy in?
    Each template is hosted in us-east-1 and the CloudFormation stack deploys there by default. The IAM role itself is global, so the choice of region is just where the stack record lives. You can switch regions on the AWS console screen before clicking Create.
  • Do I need to provide an External ID?
    No. Transilience uses OpenID Connect federation to assume the role via sts:AssumeRoleWithWebIdentity, so there is no shared secret. The trust policy pins both the audience claim and a subject-prefix claim so only Transilience's identity can assume the role.
  • Why does the Host Configuration tier need SSM write?
    Some compliance evidence (most notably SSH config, host-hardening settings, and other in-instance config files) isn't exposed by AWS read APIs. The SSM Write policy lets Transilience run a Systems Manager document on your instances to read those files. The iam:PassRole permission is tightly scoped to ssm.amazonaws.com and to the TransilienceComplianceRole itself. Transilience is not granted any IAM, EC2, or networking write permissions.
  • What does the registration Lambda do?
    Each template includes a small Lambda that runs once at stack creation. It POSTs your account ID, role ARN, customer email, and customer name to the Transilience backend so the account shows up inside the app immediately. The Logs and Host Configuration templates also include a CloudTrail discovery Lambda that lists your trails so the inline policy can be scoped to those exact S3 buckets.
  • Can I upgrade from Audit to a higher tier later?
    Yes. Update the existing stack in place with the new template URL. CloudFormation diffs the IAM policy and applies the additional permissions; the role name (TransilienceComplianceRole) stays the same so nothing inside the Transilience app needs reconfiguring.
  • Where do you store credentials?
    There are no long-lived keys. Every time Transilience needs to read from your account it exchanges a short-lived OIDC identity token for temporary AWS credentials via STS. The max session duration on the role is one hour.

Stuck on a permission, region, or audit question?

Our team can walk you through the trust policy, scope, and what Transilience does with each role in a 15-minute call.

Book a 15-min callBrowse the FAQ