Skip to content
Patrol Docs

Connecting cloud accounts

Once a customer has live infrastructure, you can connect their cloud account so Patrol can continuously inventory it — independent of whether Patrol deployed it.

Add a cloud account

Section titled “Add a cloud account”

From Cloud Accounts → Add Cloud Account:

  1. Give it a name, choose the provider (AWS, Azure, Google Cloud, OpenStack, VMware, or Other/Custom), and optionally link it to a customer.
  2. Choose a connection mode:
    • Patrol-hosted scanning (pull) — Patrol assumes a read-only role/service principal in the customer’s account and scans it directly. This is the recommended mode for AWS/Azure/GCP.
    • On-site collector — for private or isolated clouds (OpenStack, VMware) where Patrol can’t reach the account directly. (Collector support is still being built out.)
  3. For AWS pull-mode accounts, choose how Patrol authenticates:
    • Cross-account IAM role (recommended) — register the account first, then use the Patrol CLI on the detail page to create the role. Paste the Role ARN back when done.
    • Access keys — reference stored secrets for an access key/secret key pair.

Setting up the IAM role with the Patrol CLI

Section titled “Setting up the IAM role with the Patrol CLI”

If you choose the IAM role option, register the cloud account (Role ARN can be left blank), then on the account detail page use the “Set up cross-account access” card. The easiest path is the Patrol CLI:

  1. After registration, the detail page shows a ready-to-run command (or click Generate setup command), e.g.:

    Terminal window
    patrol connect aws --token <one-time-token>

  2. Run that command on a machine with AWS credentials for the customer’s account (e.g. aws configure with an admin/IAM-admin profile, or --profile <name>).

  3. The CLI:

    • Exchanges the token with Patrol for the details it needs — Patrol’s own AWS account ID (the trust policy principal) and a unique external ID for this cloud account.
    • Creates (or updates) an IAM role — by default PatrolReadOnly — with a trust policy scoped to Patrol’s account plus that external ID (sts:ExternalId condition, protecting against the “confused deputy” problem).
    • Attaches AWS’s managed SecurityAudit and ViewOnlyAccess policies — enough for inventory scanning, nothing that can modify resources.

  4. The CLI prints the Role ARN — paste it into the Role ARN field on the detail page, click Save, then Test connection.

The other two tabs (AWS CLI script and Trust policy JSON) give you the equivalent raw aws iam commands or JSON if you’d rather run it manually or hand it to the customer’s cloud team.

Scanning

Section titled “Scanning”

Once connected:

  • Click Scan now to run an inventory scan immediately, or toggle Auto-scan to run one automatically every 6 hours.
  • Each scan produces a snapshot — a point-in-time inventory of the account’s resources (compute, network, IAM, security, storage, etc.), visible in Scan history.

Next steps

Section titled “Next steps”
  • Drift Detection — how snapshots are compared against an accepted baseline