To help you understand how we securely scan and assess your AWS environment, we've prepared the following overview of the Swise AWS Scanner — including how it works, where it runs, and any cost implications to your account.
What Is the Swise AWS Scanner?
The Swise AWS Scanner is our internal security scanning solution that identifies misconfigurations, compliance gaps, and security risks across your AWS environment. It is built using industry-standard tooling and best practices for safe, read-only assessment.
How It Works
Swise runs the scanner from our own AWS account (you don't need to host anything).
We assume a read-only IAM role (
SwiseScan) that exists in your AWS account.Using this secure connection, the scanner performs API-level checks (like
Describe*,Get*, etc.) across AWS services and regions.The results are analysed and surfaced in the Swise AI app under the Security Findings section for your review.
Secure Cross-Account Access
We never ask for credentials or deploy agents in your account.
Access is granted via AWS's secure
sts:AssumeRolemechanism.The IAM role is protected with an External ID to prevent misuse (AWS best practice).
The role's permissions are read-only, and temporary — no write or destructive access.
Cross-Region Scanning
By default, the Swise AWS Scanner checks resources across all available AWS regions unless otherwise restricted. This helps ensure full visibility across:
EC2, S3, IAM, Lambda, CloudTrail, Config, Security Hub, and more.
No need to install the scanner in each region — our centralised scanner queries them remotely via secure API.
Why there can be cost in your account — even without creating infrastructure
Even though we don't deploy or manage any infrastructure in the client's AWS account, API-level interactions via the assumed IAM role can trigger usage-based charges, depending on which AWS services are involved.
Item | Runs in | Cost billed to |
|---|---|---|
Swise AWS Scanner Execution | Swise AWS account | Swise |
AWS API Calls (e.g., Describe, Get, List) | Your AWS account | You (minor) |
Config, Security Hub, Cloud Trail, etc. | Your AWS account | You (if enabled) |
Activity | Cost? | Explanation |
|---|---|---|
Assuming IAM Role | ❌ No | STS role assumption is free |
Basic API Calls (Describe*, Get*) | ⚠️ Sometimes | Free for most services, but not all |
Config / Security Hub / GuardDuty | ✅ Yes (if used) | Metered by AWS, billed to client |
We assume a role → No cost
Assuming an IAM role using
sts:AssumeRoleis free.
We perform API calls (Describe, Get, List)** → May incur minor costs
These API calls are generally free unless they interact with metered services.
Some services charge per API call or per feature — for example:
AWS Config:
Charges per recorded configuration item and per rule evaluation.
Our scan may trigger rule evaluations or access recorded configurations.
Security Hub:
Charges per ingested finding per region.
GuardDuty (if enabled):
Charges based on analysed logs.
CloudTrail Insights, Athena, Macie, etc.
Some of these services charge for queries or results access.
Cross-Region Scanning:
API calls across multiple regions can multiply costs if regional services like Config, Security Hub, or CloudTrail are active in those regions.
⚠️ Note: Services like AWS Config and Security Hub may generate ongoing charges if enabled. We will not activate these services without your consent.
Example Scenario:
We run
DescribeConfigRulesacross 5 regions → AWS Config evaluates rules → AWS charges per rule evaluation.We query
SecurityHub:GetFindings→ findings may be ingested or processed → AWS charges for ingestion (if thresholds exceeded).If AWS Config isn't already enabled, enabling it (even manually) can lead to ongoing charges per tracked resource.