What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS MSP Account Management: Scaling Client AWS Environments Efficiently

Managing ten client AWS accounts and managing one hundred are fundamentally different operational challenges. The processes that work for a small portfolio — checking each account's console, maintaining separate documentation for each client, handling alerts account by account — break down completely at scale. The teams that manage large AWS portfolios successfully have built automation, centralized visibility, and standardized processes that make adding a new client a repeatable operation rather than a unique project.

This guide covers the architectural decisions and tooling choices that distinguish MSPs managing AWS at scale from those constantly fighting fires across a fragmented portfolio.

Account Access Architecture

The first decision is how your MSP team accesses client accounts. Three patterns are in use:

Cross-account IAM roles: Clients create an IAM role in their account with a trust policy allowing your MSP management account to assume it. Your team assumes the client role for all work in that account. This is the most common pattern and provides good separation — each client's account is clearly distinct, and you can scope the role's permissions to exactly what your MSP needs. The role ARN becomes the operational identifier for each client account.

AWS Organizations with delegated access: For clients who consent to organizational management, invite their accounts into your MSP's AWS Organization or use a linked account structure. This enables central policy enforcement and consolidated billing but requires careful governance to prevent policies applied in one client context from affecting others. Most MSPs avoid this pattern because the compliance and contractual complexity outweighs the operational benefits.

Per-client IAM users (avoid): Creating IAM users in each client account for MSP staff doesn't scale. Key rotation, access reviews, and offboarding become manual work multiplied by account count. Use cross-account roles instead.

For cross-account role access, implement AWS IAM Identity Center (SSO) in your MSP management account. Identity Center can be configured to allow users to assume roles in multiple accounts through a single sign-on experience. Your MSP engineer logs in once and can switch to any client account they're authorized to access without managing separate credentials per account.

Standardized Account Baseline

Every client account should start from a consistent baseline. Applying a baseline manually to each new account is error-prone and doesn't scale. Build an account vending machine — automation that configures a new account to your standard baseline when it's created:

CloudTrail enabled in all regions with logs centralized to your MSP log management account
AWS Config enabled with your standard rule set
GuardDuty enabled in all regions
Your MSP cross-account role provisioned with least-privilege permissions
Billing alerts and budget thresholds configured
Standard tagging policy enforced via AWS Config

Implement the baseline as Infrastructure as Code (Terraform or CloudFormation) that runs against each new account. Store client-specific overrides (specific security rules for regulated industries, special monitoring configurations) as parameters rather than forks of the baseline code.

Centralized Monitoring Across Accounts

Operating separate monitoring consoles for each client account creates overwhelming context-switching overhead. Build centralized visibility by aggregating monitoring data from all client accounts to your MSP operations account:

CloudTrail log aggregation: configure each client account's CloudTrail to deliver logs to an S3 bucket in your MSP log management account (with appropriate cross-account bucket policy). This centralizes audit logs for search and analysis without requiring login to individual accounts.

GuardDuty findings aggregation: use GuardDuty's delegated administrator feature to aggregate findings from all accounts to a central security account. Set up your MSP management account as the GuardDuty administrator for each client's organization. All findings are visible in one GuardDuty console, with account-level filtering when you need to investigate a specific client.

CloudWatch cross-account observability: configure cross-account CloudWatch metric sharing to push key metrics from client accounts to your MSP monitoring account. Build dashboards that show the health summary for all clients simultaneously, with drill-down capability to the account level for investigation.

Alert Management and Client Communication

Alert routing in a multi-client environment requires clarity about which alerts go to your MSP team versus which go directly to clients. Define a tiered model:

Tier 1 (MSP-only): Informational alerts that require MSP action but don't need client notification — Config compliance drift, minor GuardDuty findings, patch compliance gaps. Your team investigates and resolves without client involvement unless resolution requires client action.
Tier 2 (MSP action + client notification): Security findings, billing anomalies above a threshold, availability incidents. Your team investigates and fixes, and proactively notifies the client of the issue and resolution.
Tier 3 (Joint response): Major security incidents, significant billing anomalies, service outages. Immediate client notification with your team and client working together on response.

Vigilare provides multi-tenant monitoring specifically designed for MSP environments, with per-client dashboards, centralized alerting, and client-facing reporting that reduces the manual work of compiling account health reports. See the client monitoring guide for implementation details.

Billing and Cost Management at Scale

Consolidated billing through AWS Organizations simplifies billing management for client accounts you manage under your organization structure. For accounts managed via cross-account roles (without organizational consolidation), each account bills independently — you need tooling to pull billing data from multiple accounts and present it consistently.

AWS Cost and Usage Reports (CUR) provide detailed billing data per account. Configure CUR delivery to a central S3 bucket with cross-account access from all managed accounts. Use Athena or a BI tool to query CUR data across all clients for billing analytics and client reporting. See the MSP billing visibility guide for the detailed implementation.

FAQ

How should MSPs handle client accounts with existing, non-standard configurations?

Inherited accounts rarely match your baseline. Implement a discovery process when onboarding an existing account: run a security assessment to identify gaps, categorize findings by risk level, and create a remediation plan with the client. Don't try to bring the account to baseline overnight — prioritize critical security gaps, then work through lower-priority items over the first 30-90 days. Document the as-found state and the remediation progress as part of your client relationship management.

What permissions should the MSP cross-account role have?

It depends on what services your MSP delivers. For monitoring-only engagements, read-only access (SecurityAudit and ViewOnlyAccess managed policies) is appropriate. For managed services that include remediation, you need broader permissions but should still avoid administrator access — scope permissions to the specific actions your automation performs. Use permission boundaries on the role to prevent privilege escalation even if the role's policies are misconfigured.

How do you handle MSP staff turnover and access revocation?

Using IAM Identity Center (SSO) in your MSP account means access revocation is centralized — deactivate the user in Identity Center and they lose access to all client accounts immediately. Don't rely on per-account access removal, which requires manual work in each account. Test your offboarding process periodically by verifying that deactivated users can no longer assume client roles.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO