What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

MFA Everywhere: The Cheapest Security Upgrade for Your AWS Account

If you do one security thing for your AWS account, make it this: enable MFA everywhere. Multi-factor authentication blocks the most common attack pattern — stolen passwords — and costs absolutely nothing. A compromised password without MFA gives an attacker full access to your account. A compromised password with MFA gives them nothing.

Here's how to set up MFA on every account type in AWS, in order of priority.

Priority 1: Root Account MFA (2 minutes)

The root account has unrestricted access to everything. No IAM policy, no SCP, no guardrail can limit what root can do. If an attacker gets root access without MFA, they can close your account, change the billing address, delete all resources, and lock you out permanently.

How to enable it:

Sign in to the AWS Console with your root account credentials
Go to IAM → Security credentials (or click your account name → Security credentials)
In the "Multi-factor authentication (MFA)" section, click "Assign MFA device"
Choose your device type:
- Security key (recommended) — a hardware FIDO2 key like YubiKey. Phishing-resistant, no battery, no app needed
- Authenticator app — Authy, 1Password, Google Authenticator. Free and convenient
- Hardware TOTP token — a dedicated hardware device. More expensive, less common
Follow the setup flow and enter the verification codes
Store backup codes securely — if you lose your MFA device, you'll need them to recover access

Best practice: Register two MFA devices for the root account. If you lose one, you still have access. AWS now supports multiple MFA devices per account.

Priority 2: IAM Users with Console Access (5 minutes per user)

Every IAM user who can log into the AWS console should have MFA enabled. A console password without MFA is a vulnerability — passwords can be phished, guessed, or stolen from compromised machines.

For each IAM user:

Go to IAM → Users → [username] → Security credentials
In the MFA section, click "Assign MFA device"
Walk through the same setup flow as root

Enforcing MFA with an IAM Policy

Don't just enable MFA — enforce it. Attach an IAM policy that denies all actions (except MFA self-service) unless the user has authenticated with MFA. AWS provides a documented policy template for this. The effect: a user who logs in without MFA can only set up their MFA device. They can't access any AWS services until MFA is active.

This is the most effective way to ensure MFA adoption. Users who forget to set up MFA are blocked from doing anything useful until they do.

Priority 3: IAM Identity Center (SSO) Users (3 minutes)

If you're using IAM Identity Center (recommended for new accounts), MFA configuration lives in the Identity Center settings, not in IAM.

Go to IAM Identity Center → Settings → Authentication
Under "Multi-factor authentication," click "Configure"
Set MFA to "Required" (not "Optional" — optional means it won't happen)
Choose your MFA types: authenticator apps and security keys are both good options
Set the enforcement to "Every time they sign in" for maximum security, or "Context-aware" for a balance between security and convenience

With MFA required, every SSO user must register an MFA device on their first login. No exceptions, no "I'll do it later."

What About Access Keys?

MFA doesn't protect API access through long-lived access keys. An access key that gets leaked to GitHub is usable without MFA. This is why the best practice is to eliminate long-lived access keys entirely: use IAM roles for services, use SSO with temporary credentials for humans, and use OIDC federation for CI/CD pipelines.

If you must use access keys, add an MFA condition to IAM policies for sensitive operations. This requires the user to call sts:GetSessionToken with an MFA code before performing actions that require MFA, effectively adding a second factor to API access.

Monitoring MFA Compliance

Setting up MFA is the first step. Keeping it enforced as your team grows is the ongoing challenge. New IAM users get created without MFA. MFA devices get deactivated during troubleshooting and never re-enabled. Root MFA gets removed during an account migration and nobody notices.

Use AWS Config's root-account-mfa-enabled and iam-user-mfa-enabled rules to continuously monitor MFA status. These rules alert you when any user or the root account loses MFA protection.

Vigilare monitors MFA status as part of its security posture assessment. If root MFA is disabled, or if an IAM user with console access lacks MFA, it directly impacts your risk score — making it visible in the same dashboard where you see billing, compliance, and operational health. Start a free 14-day trial.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO