SeentySeenty Docs

Cloud Accounts

Connect your AWS or Azure accounts to Seenty for automated security scanning of IAM, storage, and network configurations.

Cloud Accounts

Seenty can scan your cloud infrastructure for security misconfigurations. By connecting a cloud account with read-only credentials, Seenty periodically audits your IAM policies, storage configurations, and network security groups to find common issues before attackers do.

Cloud account scanning requires an Ultra plan or higher.

Connecting an AWS account

Seenty requires an IAM user with read-only permissions to scan your AWS resources. It never modifies any resources in your account.

Create an IAM user

  1. Sign in to the AWS Management Console.
  2. Navigate to IAM > Users > Create user.
  3. Enter a username (e.g., seenty-scanner).
  4. Select Programmatic access to generate an access key.
  5. Attach the SecurityAudit managed policy. This provides read-only access to the resources Seenty needs to scan.
  6. Complete the user creation and save the Access Key ID and Secret Access Key.

The SecurityAudit policy is an AWS-managed policy that grants read-only access to security-related configuration data. It does not allow any write operations. You can also create a custom policy with more restrictive permissions if needed.

Add the credentials to Seenty

  1. Navigate to Assets > Cloud Accounts in Seenty.
  2. Click Add Cloud Account and select AWS.
  3. Enter a friendly name for this account (e.g., "Production AWS").
  4. Paste the Access Key ID and Secret Access Key.
  5. Click Test Connection to verify the credentials work.
  6. Click Save.

Your credentials are encrypted at rest and are only used to perform read-only API calls to AWS.

Initial scan

After saving, Seenty will run an initial scan of your AWS account. This typically takes a few minutes depending on the size of your infrastructure.

What Seenty scans in AWS

ServiceChecks
IAMUsers without MFA enabled, stale access keys (unused for 90+ days), overly permissive policies, root account usage, password policy strength
S3Publicly accessible buckets, buckets without encryption, buckets without versioning, overly permissive bucket policies
Security GroupsUnrestricted ingress rules (0.0.0.0/0), open administrative ports (SSH, RDP), overly broad egress rules

Each issue found is reported as a misconfiguration finding under Security Posture, with severity, description, and remediation steps.

Connecting an Azure account

Seenty requires a Service Principal with Reader role to scan your Azure resources.

Create a Service Principal

  1. Sign in to the Azure Portal.
  2. Navigate to Azure Active Directory > App registrations > New registration.
  3. Enter a name (e.g., seenty-scanner) and register the application.
  4. Go to Certificates & secrets > New client secret and create a secret. Save the Client Secret value.
  5. Note the Application (client) ID and Directory (tenant) ID from the app's overview page.
  6. Navigate to Subscriptions > [Your Subscription] > Access control (IAM) > Add role assignment.
  7. Assign the Reader role to the service principal you just created.

Add the credentials to Seenty

  1. Navigate to Assets > Cloud Accounts in Seenty.
  2. Click Add Cloud Account and select Azure.
  3. Enter a friendly name for this account.
  4. Provide the Tenant ID, Client ID, and Client Secret.
  5. Click Test Connection to verify.
  6. Click Save.

Initial scan

Seenty will scan your Azure subscription immediately after saving.

What Seenty scans in Azure

ServiceChecks
RBAC / Entra IDUsers without MFA, inactive users (no sign-in for 90+ days), overly permissive role assignments
Storage AccountsPublicly accessible containers, storage accounts without encryption, missing network restrictions
Network Security Groups (NSGs)Unrestricted inbound rules (0.0.0.0/0), open administrative ports (SSH, RDP)

Each issue is reported as a misconfiguration finding with severity and remediation guidance.

Managing cloud accounts

Enabling and disabling scanning

You can temporarily disable scanning for a cloud account without removing it. Go to the cloud account detail page and toggle Scanning off. Seenty will stop running scheduled scans but will retain all existing findings.

Rotating credentials

If you rotate your cloud credentials, update them in Seenty by going to the cloud account detail page and clicking Update Credentials. Use the Test Connection button to verify the new credentials work before saving.

Removing a cloud account

To remove a cloud account, go to its detail page and click Delete. This removes the account and all associated findings from Seenty.

Deleting a cloud account is permanent. All associated findings will be removed.

Security and privacy

  • Read-only access: Seenty never modifies resources in your cloud accounts. It only reads configuration data.
  • Encryption at rest: Cloud credentials are encrypted before being stored in the database.
  • Minimal permissions: Seenty only requires the permissions needed to read security-related configurations. You can audit the exact API calls by reviewing the IAM or Azure AD audit logs.

Endpoint Collections

Scan API endpoints directly without DNS domain verification using Seenty endpoint collections.

Repositories

Scan your code repositories for leaked secrets, vulnerable dependencies, and infrastructure-as-code issues.

On this page

Cloud AccountsConnecting an AWS accountCreate an IAM userAdd the credentials to SeentyInitial scanWhat Seenty scans in AWSConnecting an Azure accountCreate a Service PrincipalAdd the credentials to SeentyInitial scanWhat Seenty scans in AzureManaging cloud accountsEnabling and disabling scanningRotating credentialsRemoving a cloud accountSecurity and privacy