AWS cloud security in 60 seconds
Deploy a CloudFormation template, authorize access, and start scanning. Read-only by default. No credentials stored.
Free forever. No credit card required.
Why vul.ninja for AWS?
CloudFormation-native setup
Deploy a vetted CloudFormation template from the AWS Console in one click. No manual IAM role creation, no policy editing, no credential copying.
Multi-account support
Connect a single AWS account or your entire AWS Organization. Scan dev, staging, and production from one dashboard with no duplicate setup.
AWS-aware findings
Every finding includes the AWS service, region, resource ARN, and remediation steps written for AWS best practices — not generic advice.
How to connect AWS in 60 seconds
Click "Connect AWS" in vul.ninja
From your vul.ninja dashboard, choose AWS as your cloud provider. You'll be taken to the CloudFormation launch page.
Deploy our CloudFormation template
Open the template in the AWS Console with one click. We've pre-configured least-privilege read-only permissions — no editing required.
Choose your scope
Select the AWS accounts and regions you want vul.ninja to scan. Connect a single account or your entire AWS Organization.
Done — your first scan starts automatically
Within minutes you'll have a prioritized list of misconfigurations, exposed secrets, and compliance gaps across your selected accounts.
What permissions does vul.ninja need?
Least-privilege by design. Read-only by default. Write actions require your explicit per-action approval.
By default (read-only)
- AWS ReadOnlyAccess managed policy (audited by Amazon)
- IAM: read roles, policies, users, groups, and access keys
- S3: list buckets, read bucket policies and ACLs
- EC2: describe instances, security groups, VPCs, and subnets
- RDS: describe instances, snapshots, and parameter groups
- Lambda: list functions and read environment variable names (not values)
- KMS: list keys and describe key metadata
- CloudTrail: describe trails and read log settings
If you enable remediation (opt-in)
- s3:PutBucketPolicy — fix overly permissive S3 bucket policies
- ec2:ModifyInstanceAttribute — fix exposed security group rules
- iam:UpdateAccountPasswordPolicy — enforce password policy
- kms:EnableKeyRotation — enable automatic key rotation
Write permissions are scoped per-action and require your approval before anything runs.
vul.ninja uses an AWS IAM role assumed via AWS Security Token Service (STS). Credentials are short-lived tokens — we never see or store your long-term access keys. You can revoke access at any time by deleting the CloudFormation stack from your AWS Console, which removes the IAM role immediately.
How is this different from AWS Security Hub?
We believe in honest comparisons. Here's where the native tool wins, and where vul.ninja wins.
Where AWS Security Hub wins
- Native to AWS with no additional setup beyond enabling the service
- Free at small scale; integrates directly with GuardDuty and Inspector
- Deep integration with AWS-native services and EventBridge automations
- AWS-managed, no third-party trust required
Where vul.ninja wins
- Multi-cloud: scan AWS, Azure, and GCP from one platform — Security Hub is AWS-only
- AI agents that explain findings, trace attack paths, and propose fixes with reasoning
- Faster setup for teams without dedicated AWS expertise
- No per-check pricing — flat-rate plans scale with your team, not your finding count
- Human-in-the-loop remediation with approval gates before any change runs
Frequently asked questions
Yes, by default. The CloudFormation template deploys a role with AWS ReadOnlyAccess only. Write actions are only possible if you explicitly enable the Remediation Agent on a paid plan, and every individual fix requires your approval before it runs.
Yes. You can connect a single account or your entire AWS Organization, and select which regions to include. You can change this scope at any time from the vul.ninja dashboard.
No. We use AWS IAM roles with STS for short-lived tokens. We never see or store your access keys. There are no long-lived credentials for an attacker to compromise.
Delete the CloudFormation stack from your AWS Console. This removes the IAM role and immediately terminates our ability to access your account. No support ticket required.
IAM, S3, EC2, RDS, VPC, Lambda, KMS, CloudTrail, ECS, EKS, and more. We expand coverage regularly. See our documentation for the full current coverage list.
AWS Security Hub is excellent if you only use AWS. vul.ninja adds multi-cloud coverage (Azure, GCP), AI-powered investigation agents that explain findings in plain language, and a remediation pipeline with human approval gates. Security Hub doesn't do any of those things.
Yes. vul.ninja scans for compliance gaps across SOC 2, HIPAA, and PCI-DSS frameworks. Connecting your AWS account gives us visibility into your posture — your existing compliance certifications are unaffected.
Typically 5–15 minutes for a standard AWS account, depending on the number of resources and regions selected.
Yes. You can deploy our CloudFormation template at the Organization level to cover all member accounts at once, or connect individual accounts selectively.
AWS GovCloud is not currently supported. If this is a requirement, reach out to security@vul.ninja and we can discuss your timeline.
Built for security-conscious teams
Read-only by default
Write actions require per-action approval on paid plans only.
Short-lived STS credentials
IAM role + STS. No long-term access keys ever stored.
Full API audit log
Every API call vul.ninja makes against your account is logged.
One-stack revocation
Delete the CloudFormation stack to immediately revoke all access.
Ready to scan your AWS cloud?
Connect in 60 seconds. Free forever.
Free forever. No credit card required.