Cyvex evaluates AWS cloud posture via a read-only cross-account IAM role. Once connected, it checks configuration against the CSPM rule library and surfaces drift as findings.

IAM role setup

Create a role in the target account that trusts the Cyvex audit account. The minimum managed policies are:

SecurityAudit — read-only access to resource configuration.
ViewOnlyAccess — read-only access to service dashboards.

Do not attach write or admin policies. Cyvex does not require them and granting them defeats the point.

Multi-account orgs

For AWS Organizations, deploy the role via a CloudFormation StackSet against the whole org (or selected OUs). This avoids manual role creation in dozens of accounts. Keep the management account itself out of the target set — it's usually subject to stricter access controls.

First-run expectations

The first evaluation typically returns a lot of Medium-severity findings — default permissive configurations (public S3 buckets, unencrypted snapshots) are common in older accounts. Don't try to fix everything; triage as described in the scan report guide.