What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Multi-Account Monitoring: Unified Visibility Across Your Organization

Operating a single AWS account is manageable. Operating ten, fifty, or hundreds of accounts — each with its own security posture, billing trajectory, and compliance status — is an entirely different problem. The multi-account architecture that AWS recommends for security isolation and organizational separation creates a corresponding monitoring challenge: how do you maintain comprehensive visibility across every account without drowning in fragmented dashboards and disconnected alert streams?

This guide covers the technical architecture required to monitor multiple AWS accounts effectively, the native AWS tools that support cross-account visibility, their operational limitations, and the patterns that organizations use to build a unified monitoring layer across their entire AWS footprint.

Why Multi-Account Architectures Exist

AWS explicitly recommends a multi-account strategy as a security and governance best practice. Separate accounts provide hard security boundaries — an IAM role in one account cannot access resources in another account unless an explicit cross-account trust is configured. This isolation limits the blast radius of a security incident, prevents resource contention between workloads, and enables fine-grained billing allocation.

Common multi-account patterns include environment isolation where production, staging, and development workloads run in separate accounts, team-based separation where each engineering team or business unit operates in its own account, client isolation used by agencies, MSPs, and SaaS vendors that manage infrastructure on behalf of clients, and compliance segmentation where regulated workloads run in accounts with specific compliance configurations while non-regulated workloads operate in accounts with fewer restrictions.

AWS Organizations provides the hierarchical structure — organizational units (OUs), Service Control Policies (SCPs), and consolidated billing — that makes multi-account management operationally viable. AWS Control Tower extends this with automated account provisioning, pre-configured guardrails, and a governance dashboard.

But governance is not monitoring. Knowing that an account exists and that certain policies are applied to it does not tell you whether that account is secure right now, whether its costs are trending abnormally, or whether its compliance posture has degraded since last week.

The Multi-Account Monitoring Gap

The fundamental challenge with monitoring multiple AWS accounts is that most AWS services are account-scoped. CloudTrail logs, CloudWatch metrics, GuardDuty findings, Config evaluations, and Cost Explorer data are all generated and stored within individual accounts. Aggregating these signals into a unified view requires explicit cross-account infrastructure — delegated administrator configurations, cross-account IAM roles, centralized log destinations, and custom aggregation logic.

Organizations that grow their account count organically often discover this gap reactively. Each account has its own CloudTrail trail delivering to its own S3 bucket, its own CloudWatch alarms configured (or not) independently, its own GuardDuty detector running in isolation, and its own cost monitoring with account-specific thresholds. Security findings in one account are invisible to operators monitoring another account. A billing anomaly in a dormant development account goes undetected because no one is watching that account's Cost Explorer dashboard.

Native AWS Cross-Account Monitoring Tools

AWS provides several mechanisms for aggregating monitoring data across accounts, each covering a specific domain.

AWS Security Hub — Cross-Account Security Findings

Security Hub supports delegated administrator deployment, where a designated account aggregates findings from all member accounts in the organization. Security Hub automatically collects findings from GuardDuty, Inspector, IAM Access Analyzer, Macie, and Firewall Manager across all enrolled accounts, normalizing them into the AWS Security Finding Format (ASFF).

The Security Hub dashboard in the delegated administrator account provides a cross-account view of security posture, including compliance scores against standards like CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices. Findings can be filtered by account, severity, compliance standard, and resource type.

Limitations include the fact that Security Hub is security-focused — it does not aggregate billing, operational, or availability data. Its compliance scores reflect security configuration, not broader operational health.

AWS CloudTrail — Organization Trail

An organization trail, configured in the management account, captures management events from all accounts in the AWS Organization and delivers them to a centralized S3 bucket. This provides a single repository of API activity across the entire organization, enabling cross-account investigation of security incidents and operational events.

Organization trails are essential for forensic capability but do not provide real-time monitoring on their own. Logs delivered to S3 must be processed — through CloudWatch Logs, Athena queries, or a SIEM integration — to generate actionable alerts.

Amazon GuardDuty — Multi-Account Threat Detection

GuardDuty supports delegated administrator deployment, allowing a designated account to enable and manage GuardDuty across all organization accounts. The administrator account receives all findings from member accounts, providing cross-account threat detection visibility.

AWS Config — Multi-Account Compliance

AWS Config aggregators collect configuration and compliance data from multiple accounts and regions into a single account. An organization-level aggregator automatically includes all accounts in the organization, providing a centralized view of resource compliance against Config rules.

Cost Explorer and Cost Anomaly Detection

Cost Explorer in the management account provides consolidated billing views across all member accounts, with the ability to filter and group by account, service, region, and tag. Cost Anomaly Detection monitors can be configured for the entire organization, individual accounts, or specific cost categories.

However, Cost Explorer's management-account view aggregates spending at a level that can obscure account-level anomalies. A $500 daily spike in a development account is invisible in the context of a $50,000 daily organizational spend. Effective cost monitoring requires account-level baselines and anomaly detection in addition to organizational aggregates.

Building a Unified Multi-Account Monitoring Architecture

Native tools cover individual monitoring domains — security, compliance, cost — but no single native service provides a unified cross-domain view of account health. Building this unified view requires an architecture that aggregates signals from multiple sources and presents them through a consolidated dashboard.

Centralized Logging Architecture

Deploy an organization trail for CloudTrail management events. Configure VPC Flow Logs, application logs, and access logs from each account to stream to a centralized logging account. Use Amazon Kinesis Data Firehose or CloudWatch cross-account log subscriptions to aggregate log streams.

Store centralized logs in S3 with Athena for ad-hoc querying and integrate with Amazon OpenSearch Service or a third-party SIEM for real-time analysis and alerting.

Cross-Account EventBridge

Amazon EventBridge supports cross-account event routing. Configure EventBridge rules in each member account to forward security-relevant events — root logins, IAM policy changes, resource creation in unexpected regions — to a central event bus in the monitoring account. The central event bus applies correlation logic and routes alerts to the appropriate response teams.

This pattern provides near-real-time cross-account event processing without the latency of log-based detection pipelines.

Health Signal Aggregation

Build a Lambda function or Step Functions workflow in the monitoring account that periodically queries each member account for health signals: IAM credential report status, Config compliance summary, GuardDuty finding counts by severity, CloudWatch alarm states, and Cost Explorer daily spend. Aggregate these signals into a per-account health score that provides a single metric representing overall account health.

Store historical health scores in DynamoDB or TimeStream to enable trend analysis. An account whose health score has been declining over the past 30 days — even if no individual signal has breached a critical threshold — may represent a growing risk that warrants proactive investigation.

Challenges in Multi-Account Monitoring at Scale

Alert Fatigue

With dozens or hundreds of accounts generating security findings, compliance evaluations, and cost alerts, the total alert volume can quickly overwhelm an operations team. Effective multi-account monitoring requires aggressive alert deduplication, correlation (multiple related findings consolidated into a single incident), and severity normalization (a medium finding in a production account is higher priority than a medium finding in a sandbox account).

Cross-Account Permission Management

The IAM roles required for cross-account monitoring — read access to CloudTrail, Config, GuardDuty, Cost Explorer, and IAM in every member account — must be deployed and maintained consistently. Use AWS CloudFormation StackSets or Terraform modules to deploy monitoring roles across all accounts from a central template. Include least-privilege policies that grant only the read permissions required for monitoring, not write or administrative access.

Account Lifecycle Events

Accounts are created, repurposed, and closed over time. Your monitoring infrastructure must automatically detect new accounts (through Organizations API polling or EventBridge events for CreateAccount), enroll them in all monitoring systems, and gracefully handle account closure without generating spurious alerts.

FAQ

How do I monitor multiple AWS accounts from a single dashboard?

Use AWS Organizations with delegated administrator configurations for Security Hub, GuardDuty, and Config to centralize security and compliance data. For cost monitoring, use the management account's Cost Explorer with account-level filtering. For a unified view across all domains, deploy a centralized monitoring architecture that aggregates signals from these services into a single dashboard — or use a purpose-built multi-account monitoring tool.

What is the best way to set up cross-account CloudTrail monitoring?

Create an organization trail in the management account that automatically captures management events from all member accounts. Configure the trail to deliver logs to a centralized S3 bucket in a dedicated logging account. Enable CloudTrail Lake or integrate with Athena for cross-account log querying. For real-time alerting, pipe organization trail events to a centralized EventBridge bus.

How do I manage AWS costs across multiple accounts?

Enable consolidated billing through AWS Organizations. Use Cost Explorer in the management account to analyze spending by account, service, and region. Deploy AWS Cost Anomaly Detection with monitors at both the organizational and account level. Set AWS Budgets for each account with alerts at multiple thresholds. For real-time anomaly detection, supplement native tools with custom monitoring that checks billing metrics at shorter intervals.

Can AWS Control Tower replace a dedicated multi-account monitoring solution?

AWS Control Tower provides governance and guardrails — automated account provisioning, compliance enforcement, and drift detection. It excels at ensuring accounts are configured correctly at creation time and detecting configuration drift. However, Control Tower is not a comprehensive monitoring solution. It does not provide real-time security alerting, billing anomaly detection, or cross-account operational visibility. Treat Control Tower as a governance layer that complements, rather than replaces, your monitoring infrastructure.

How do MSPs and agencies monitor client AWS accounts?

The most effective approach is to use AWS Organizations with each client in a separate OU, deploy cross-account monitoring roles via StackSets or Terraform, and aggregate monitoring data in a central account. Deploy GuardDuty, Security Hub, and Config in delegated administrator mode for security and compliance coverage. Implement per-account cost monitoring with client-specific baselines and alerting thresholds.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team