Amazon Web Services (AWS)
Overview
AWS Organizational Onboarding enables customers to seamlessly connect their AWS Organizations to Upwind, offering centralized visibility, control, and protection for all member accounts. By leveraging the hierarchical structure of AWS organizations, this integration streamlines account management while safeguarding the entire cloud infrastructure against potential threats. It simplifies the setup and management of multiple AWS accounts by automating essential tasks such as role creation and permissions assignment.
Deployment models
SaaS
Upwind hosts and manages the Cloud Scanner infrastructure in its own cloud environment. You only provision the IAM resources needed to grant Upwind cross-account access to your accounts. Snapshots are still created and deleted within your accounts at runtime, but the scanner compute runs on Upwind's side.
What you deploy in your environment is limited to IAM resources - there are no scanner ASGs, launch templates, or VPCs. Because the scanner workloads run on the Upwind side, the compute-related SCPs and service quotas in your accounts do not apply to the install, the scanner compute cost sits with Upwind, and Upwind operates and scales the scanner fleet.
Outpost
Cloud Scanners are deployed and run inside your own AWS environment. Upwind provisions the scanner stack (workers, ASGs, scaling and cleanup lambdas, supporting IAM roles and networking) into the AWS Organization you onboard, and the platform interacts with those scanners over the cross-account IAM roles created during onboarding.
All scanner workloads run inside your AWS Organization, so no customer data is read into Upwind-managed AWS accounts at scan time. The scanner ASGs, lambdas, and networking live in your accounts, where they are subject to your own SCPs, tagging, logging, and security tooling like any other workload in your tenancy. Outpost supports both AWS Organization and single-account onboarding, across CloudFormation and Terraform, and includes migration tooling for organizations moving from the legacy 3-stack model.
SaaS vs Outpost
| Consideration | SaaS | Outpost |
|---|---|---|
| Data leaves customer environment | Yes (ephemeral snapshot copy) | No |
| Scanner compute billed by | Upwind subscription | Your AWS account |
| Deployment in customer account | IAM roles only | ASGs, Lambdas, supporting resources |
| Supported features | All | All |