UpGuard scans cloud services on your behalf by first authenticating to an exposed API. The credentials required to successfully authenticate to a cloud service fall into either keypair or password based authentication categories. Where possible, UpGuard will only request what API access it actually needs.


  • You will need an Amazon Web Services account with web console access.
  • At least one EC2 virtual server


  1. Log into UpGuard and click Add Node.
  2. From the node select screen click Cloud Services and then select Amazon Web Services from the dropdown list.


    Field Description
    AWS Region Identifies which region your EC2 instance is located. API URLs will change accordingly.
    AWS Access Key The Access Key for the user that will be making requests to AWS. It is recommended that a UpGuard user is created using the AWS Management Console for this.
    AWS Secret Key The Secret Key generated by AWS for the above user. This is shown on-screen when the user is first created. It is not retrieval otherwise.
  3. Once you have located these credentials (see below), click Continue to add the node and kick off a node scan.

AWS Region

Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.


In the above example it would be us-west-1.

Access Key and Secret Key

  1. To obtain these credentials, you will need to add an UpGuard user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.


  2. On the Identity and Access Management page click on Users from the left sidebar then Create New Users.


  3. In the “add new user” form that appears, enter in “UpGuard” for the user name, check Generate an access key for each user and click Create to continue.


  4. Lastly, the users Access Key and Secret Key can be viewed after expanding Show User Security Credentials.


Security Group Permissions

A security group which provides read-only access to AWS is required to be applied to the UpGuard user. Applying the appropriate Read Access Only group policy template provided by AWS is recommended.

Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow UpGuard access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.