Posturio
Read-only AWS IAM role

Read-only AWS role setup for Posturio scans.

Posturio uses an agentless, read-only IAM role model. The role is assumed with STS, scoped by external ID, and used only to collect evidence needed by the current live AWS posture scan engine. This page shows the practical role shape buyers should review before they connect an account.

Run free AWS scan Review coverage matrix Open sample report

Setup model

Access model AssumeRole via STS
Role scope Read-only
Isolation ExternalId per org
Execution model Agentless AWS API collection
Trust policy

Example trust relationship

The trust policy should allow Posturio to assume the role from its AWS account and require an external ID unique to your organization or workspace. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<POSTURIO_AWS_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<POSTURIO_EXTERNAL_ID>"
        }
      }
    }
  ]
}

The exact Posturio AWS account ID and external ID are expected to come from your onboarding or console flow. The important part is the model: explicit principal plus mandatory external ID.

Current permissions

Current live scan-engine permission set

The policy below matches the current live Posturio scan engine scope. It is intentionally narrow and aligned to the current implemented posture checks rather than the broader public AWS guide library. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers",
        "iam:ListMFADevices",
        "iam:ListAccessKeys",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "config:DescribeConfigurationRecorders",
        "config:DescribeConfigurationRecorderStatus",
        "guardduty:ListDetectors",
        "guardduty:GetDetector",
        "securityhub:DescribeHub",
        "kms:ListKeys",
        "kms:DescribeKey",
        "kms:GetKeyRotationStatus",
        "s3:ListAllMyBuckets",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketAcl",
        "s3:GetEncryptionConfiguration",
        "rds:DescribeDBInstances",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}
How the role is used

1. Identity and access checks

Posturio reads IAM account summary, password policy, MFA device status, root access-key presence, and access-key age for the current live IAM findings.

2. Logging and detection checks

Posturio inspects CloudTrail, AWS Config, GuardDuty, and Security Hub state for the current live logging and incident-readiness findings.

3. Storage and network checks

Posturio reads KMS key rotation, S3 public-access posture, RDS baseline state, and security-group ingress by region for the current live data-protection and network checks.

Why this matters

Proof-first AWS onboarding reduces buying friction.

  • Security reviewers can inspect the exact read-only role shape before any scan runs
  • Engineering teams can compare the permission set against the current coverage matrix
  • Buyers can see the resulting output in the sample report before deeper rollout

Last updated: March 23, 2026