What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

Back to home

API Reference

The Vigilare REST API. All endpoints return JSON. Authenticated endpoints require a Bearer token obtained from POST /auth/login.

Base URLhttps://api.vigilare.cloud

Auth headerAuthorization: Bearer <id_token>

Content typeapplication/json

Authentication

POST/auth/signup

Create a new tenant account

Request body

Name	Type	Description
email*	string	Account email address
password*	string	Minimum 8 characters
name*	string	Display name (1–200 chars)

Response

{
  "tenant_id": "01JABCDE...",
  "user_id": "01JABCDF...",
  "message": "Account created successfully. You can now log in."
}

POST/auth/login

Authenticate and obtain JWT tokens

Use id_token as the Bearer token in the Authorization header for subsequent requests.

Request body

Name	Type	Description
email*	string	Account email
password*	string	Account password

Response

{
  "access_token": "eyJ...",
  "id_token": "eyJ...",
  "refresh_token": "eyJ...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Profile

Read and update the authenticated user's profile and tenant information.

GET/me🔐 Auth required

Get current user and tenant

Response

{
  "user": {
    "user_id": "01JABCDF...",
    "email": "alice@example.com",
    "name": "Alice",
    "role": "owner",
    "created_at": "2026-04-01T10:00:00+00:00"
  },
  "tenant": {
    "tenant_id": "01JABCDE...",
    "name": "Acme Inc",
    "plan": "team",
    "status": "active",
    "created_at": "2026-04-01T10:00:00+00:00"
  }
}

PATCH/me🔐 Auth required

Update display name

Request body

Name	Type	Description
name*	string	New display name (1–200 chars)

Response

{ "name": "Alice Smith" }

Accounts

Connect, verify, and manage monitored AWS accounts. The two-step connect → verify flow provisions the cross-account IAM role and starts the monitoring pipeline.

POST/accounts🔐 Auth required

Connect an AWS account

Returns a Terraform snippet and CLI script to provision the cross-account IAM role. Call /verify once the role is in place.

Request body

Name	Type	Description
aws_account_id*	string	12-digit AWS account ID
display_name	string	Human-readable label (max 200 chars)
tags	string[]	Arbitrary string tags for filtering

Response

{
  "aws_account_id": "123456789012",
  "external_id": "abc123...",
  "sentinel_account_id": "987654321098",
  "status": "PENDING",
  "terraform_snippet": "module \"vigilare_onboarding\" { ... }",
  "fallback_cli_script": "aws iam create-role ..."
}

POST/accounts/{account_id}/verify🔐 Auth required

Verify IAM role and activate monitoring

Assumes the cross-account role via STS. On success, status changes to ACTIVE and the first scan is triggered immediately.

Response

{
  "aws_account_id": "123456789012",
  "status": "ACTIVE",
  "first_scan_execution_arn": "arn:aws:states:..."
}

GET/accounts🔐 Auth required

List connected accounts

Response

{
  "accounts": [
    {
      "aws_account_id": "123456789012",
      "display_name": "Production",
      "status": "ACTIVE",
      "current_srs": 82,
      "last_scan_at": "2026-05-22T10:00:00+00:00",
      "tags": ["prod"]
    }
  ],
  "total": 1
}

GET/accounts/{account_id}🔐 Auth required

Get account details

Response

{
  "aws_account_id": "123456789012",
  "display_name": "Production",
  "status": "ACTIVE",
  "current_srs": 82,
  "connected_at": "2026-04-01T10:00:00+00:00",
  "last_scan_at": "2026-05-22T10:00:00+00:00",
  "last_successful_scan_at": "2026-05-22T10:00:00+00:00",
  "tags": ["prod"]
}

GET/accounts/{account_id}/signals🔐 Auth required

List findings for an account

Query parameters

Name	Type	Description
severity	string	Filter by severity: CRITICAL, HIGH, MEDIUM, or LOW
scenario	string	Filter by scenario type (e.g. iam, billing)
since	string	ISO 8601 timestamp — return findings after this time
limit	integer	Max results per page (1–200, default 50)
next_token	string	Pagination cursor from the previous response

Response

{
  "signals": [
    {
      "signal_id": "01JABCDG...",
      "scenario": "iam",
      "severity": "HIGH",
      "title": "Root account login detected",
      "description": "Root account login from 203.0.113.5",
      "detected_at": "2026-05-22T09:45:00+00:00",
      "resolved_at": null
    }
  ],
  "count": 1,
  "next_token": null
}

GET/accounts/{account_id}/score-history🔐 Auth required

Get risk score history

Query parameters

Name	Type	Description
days	integer	Number of days of history to return (default 30)

Response

{
  "history": [
    { "date": "2026-05-22", "srs": 82 },
    { "date": "2026-05-21", "srs": 79 }
  ]
}

GET/accounts/{account_id}/recovery-checklist🔐 Auth required

Get suspension recovery checklist

Returns a prioritised remediation checklist tailored to the account's active findings.

Response

{
  "checklist": [
    {
      "step": 1,
      "title": "Remove offending IAM policies",
      "description": "...",
      "docs_url": "https://docs.aws.amazon.com/..."
    }
  ]
}

POST/accounts/{account_id}/scan🔐 Auth required

Trigger a manual scan

Manual scans count toward the scan rate limit. Frequent manual scans on the Solo plan may be throttled.

Response

{
  "message": "Scan started",
  "execution_arn": "arn:aws:states:..."
}

POST/accounts/{account_id}/panic🔐 Auth required

Generate emergency response package

Produces a signed S3 URL containing a full export of findings, risk scores, and remediation guidance. URL expires after 15 minutes.

Response

{
  "message": "Panic package generated",
  "download_url": "https://s3.amazonaws.com/..."
}

GET/accounts/{account_id}/export🔐 Auth required

Export findings as CSV

Available on Team, Agency, and Enterprise plans.

Response

CSV file download (Content-Type: text/csv)

DELETE/accounts/{account_id}🔐 Auth required

Disconnect an account

Stops all scheduled scans and marks the account as DISCONNECTED. The IAM role in your AWS account is not removed automatically.

Response

{ "message": "Account disconnected" }

Alert Rules

Configure when and how you receive alerts. A rule fires when the Security Risk Score drops below min_srs or a specified scenario is detected.

GET/alert-rules🔐 Auth required

List alert rules

Response

{
  "rules": [
    {
      "rule_id": "01JABCDI...",
      "name": "Critical alerts to PagerDuty",
      "min_srs": 50,
      "scenarios": ["iam", "billing"],
      "channels": [{ "type": "pagerduty", "routing_key": "abc123" }],
      "enabled": true
    }
  ],
  "count": 1
}

POST/alert-rules🔐 Auth required

Create an alert rule

Request body

Name	Type	Description
name*	string	Rule label (1–200 chars)
min_srs	integer	Score threshold 0–100 that triggers the rule (default 40)
scenarios	string[]	Scenario filter — empty means all scenarios
channels*	ChannelConfig[]	At least one delivery channel (email, slack, pagerduty)
enabled	boolean	Whether the rule is active (default true)

Response

{
  "rule_id": "01JABCDI...",
  "name": "Critical alerts to PagerDuty",
  "min_srs": 50,
  "scenarios": ["iam"],
  "channels": [{ "type": "pagerduty", "routing_key": "abc123" }],
  "enabled": true,
  "created_at": "2026-05-22T10:00:00+00:00"
}

PATCH/alert-rules/{rule_id}🔐 Auth required

Update an alert rule

Request body

Name	Type	Description
name	string	New rule name
min_srs	integer	New score threshold
scenarios	string[]	Replacement scenario list
channels	ChannelConfig[]	Replacement channel list
enabled	boolean	Enable or disable the rule

Response

Updated rule object

DELETE/alert-rules/{rule_id}🔐 Auth required

Delete an alert rule

Response

{ "message": "Alert rule deleted" }

Alerts

Query fired alert events and acknowledge them to suppress duplicate notifications.

GET/alerts🔐 Auth required

List alert events

Query parameters

Name	Type	Description
limit	integer	Results per page (1–200, default 50)
next_token	string	Pagination cursor

Response

{
  "alerts": [
    {
      "alert_id": "01JABCDJ...",
      "aws_account_id": "123456789012",
      "rule_id": "01JABCDI...",
      "srs_at_trigger": 38,
      "scenarios_triggered": ["iam"],
      "fired_at": "2026-05-22T09:50:00+00:00",
      "acknowledged_at": null
    }
  ],
  "count": 1,
  "next_token": null
}

POST/alerts/{alert_id}/ack🔐 Auth required

Acknowledge an alert

Acknowledged alerts are suppressed from re-notification until the underlying finding changes.

Response

{
  "alert_id": "01JABCDJ...",
  "acknowledged_at": "2026-05-22T10:00:00+00:00"
}

Users

Manage team members on your tenant. Only owners and admins can invite or remove users. Only owners can change roles.

GET/users🔐 Auth required

List team members

Response

{
  "users": [
    {
      "user_id": "01JABCDF...",
      "email": "alice@example.com",
      "name": "Alice",
      "role": "owner",
      "created_at": "2026-04-01T10:00:00+00:00"
    }
  ],
  "total": 1
}

POST/users/invite🔐 Auth required

Invite a new team member

Request body

Name	Type	Description
email*	string	Email address of the invitee
name*	string	Display name
role	string	One of: admin, member, viewer (default member)

Response

{
  "user_id": "01JABCDK...",
  "email": "bob@example.com",
  "name": "Bob",
  "role": "member",
  "message": "Invitation sent. The user will receive an email with login instructions."
}

PATCH/users/{user_id}🔐 Auth required

Change a user's role

Only owners can promote or demote users. The account owner role cannot be changed.

Request body

Name	Type	Description
role*	string	New role: admin, member, or viewer

Response

{
  "user_id": "01JABCDK...",
  "role": "admin",
  "updated_at": "2026-05-22T10:00:00+00:00"
}

DELETE/users/{user_id}🔐 Auth required

Remove a team member

Cannot remove yourself or the account owner.

Response

204 No Content

Billing

Retrieve plan information and manage subscriptions via Stripe.

GET/billing/plans

List available plans

Response

{
  "plans": [
    {
      "id": "solo",
      "name": "Solo",
      "price_usd_month": 29,
      "account_limit": 1,
      "scan_interval_minutes": 15,
      "features": ["Email alerts", "IAM monitoring", "Billing anomaly detection"]
    }
  ]
}

POST/billing/checkout🔐 Auth required

Create a Stripe checkout session

Request body

Name	Type	Description
plan_id*	string	Plan identifier: solo, team, agency, or enterprise
success_url*	string	Redirect URL on successful payment
cancel_url*	string	Redirect URL when the user cancels

Response

{
  "checkout_url": "https://checkout.stripe.com/pay/cs_..."
}

GET/billing/portal🔐 Auth required

Get Stripe customer portal URL

Redirects the user to Stripe's self-serve portal to manage subscriptions, invoices, and payment methods.

Response

{
  "portal_url": "https://billing.stripe.com/session/..."
}

Integrations

Connect third-party services. Slack uses a standard OAuth 2.0 flow.

GET/integrations/slack/oauth-start🔐 Auth required

Start the Slack OAuth flow

Redirect the user to oauth_url to authorise the Vigilare Slack app. Slack will callback to /webhooks/slack/install.

Response

{
  "oauth_url": "https://slack.com/oauth/v2/authorize?..."
}

Error responses

All errors return a JSON body with an error field.

Status	Meaning
400	Bad request — request body failed validation
401	Unauthorized — missing or invalid Bearer token
403	Forbidden — insufficient role, or plan limit exceeded
404	Resource not found
409	Conflict — resource already exists
422	Unprocessable — cross-account role assumption failed
429	Rate limited — too many requests
500	Internal server error

Need help with the API?

Our support team can help with integration questions, custom rate limits, and enterprise contracts.

Contact support