AWS Accounts

How Cloudventory connects to AWS accounts, manages multiple accounts, and handles account removal and data deletion.

Cloudventory treats each connected AWS account as an independent, read-only data source. You control when accounts are added, scanned, and removed, and when associated data is deleted.

Connecting AWS Accounts

Cloudventory supports multiple authentication methods for connecting AWS accounts. All methods are read-only.

IAM AssumeRole (Recommended)

Use a cross-account IAM role for secure, credential-free access.

  • You create a read-only IAM role in your AWS account

  • Cloudventory stores only the role ARN

  • Temporary credentials are requested at scan time and expire automatically

This is the recommended option for long-term use.

Temporary Credentials (STS)

For one-time or occasional scans, you can provide AWS STS temporary credentials:

  • Access Key ID

  • Secret Access Key

  • Session Token

These credentials expire automatically and are not used for scheduled scans.

Access Keys

If AssumeRole is not practical, you can provide long-lived IAM user access keys.

  • Keys are encrypted at rest

  • We recommend rotating keys regularly or using short-lived credentials when possible

Setup steps are covered in the Quick Start.

Multi-Account Behavior

You can connect multiple AWS accounts to a single Cloudventory organization.

When multiple accounts are connected:

  • Each account is scanned independently

  • All resources appear in a unified inventory

  • Every resource is clearly associated with its source AWS account

  • Search and filtering work across all accounts by default

Cloudventory provides visibility only—it does not merge, modify, or manage resources across accounts.

Account limits depend on your plan. See Pricing for details.

Removing an AWS Account

You can remove an AWS account at any time from Settings → AWS Accounts.

When an AWS account is removed:

  • Scanning stops immediately

  • All inventory data from that account is permanently deleted

  • All associated insights are removed

⚠️ This action is irreversible.
If the same AWS account is reconnected later, it starts fresh with a new scan.

Cloudventory Account Deletion (Important Distinction)

Removing an AWS account is not the same as deleting your Cloudventory account.

  • Removing an AWS account
    → Data is deleted immediately and permanently

  • Deleting your Cloudventory account (organization owner only)
    → Data enters a 30-day grace period before permanent deletion

During the grace period:

  • No scheduled scans are run, and manual scans are disabled

  • Existing data remains accessible in read-only mode

  • Data is retained in case the account is restored

This grace period exists to support safe offboarding and recovery scenarios.

Cleaning Up AWS Resources

When you remove an AWS account from Cloudventory, no changes are made in your AWS environment.

  • IAM roles or credentials remain in place

  • You may delete them manually at any time

  • If you plan to reconnect the account later, you may leave them unchanged

Cloudventory never deletes or modifies resources in your AWS account.

Updated on
Security