SaaS Overview
AWS CloudScanner SaaS is a deployment model in which Upwind manages the CloudScanner infrastructure on your behalf. Upwind runs the scanning infrastructure in an isolated, Upwind-managed AWS account dedicated to your scanning operations.
During onboarding, you provision a set of IAM roles in your AWS Organization. These roles allow Upwind to discover your accounts, fetch resource information, identify eligible resources, and execute the scan workflow through secure cross-account access. No compute, Auto Scaling Groups, or Lambda functions are deployed inside your environment.
This allows you to get full value from Upwind with minimal setup on your side.
What's in This Section
- Architecture: covers the components and accounts involved in the SaaS architecture, and explains how they interact during scanning.
- Prerequisites: lists the requirements that must be in place before starting the onboarding process.
- Onboarding Flow: step-by-step instructions for connecting your AWS Organization to Upwind using the SaaS deployment model.
- Glossary: defines the key terms, parameters, and resources you encounter during onboarding.
- Troubleshooting: covers common issues that may occur during onboarding, with guidance on how to identify and resolve them.
Deployment models
SaaS
Upwind hosts and manages the Cloud Scanner infrastructure in its own cloud environment. You only provision the IAM resources needed to grant Upwind cross-account access to your accounts. Snapshots are still created and deleted within your accounts at runtime, but the scanner compute runs on Upwind's side.
What you deploy in your environment is limited to IAM resources - there are no scanner ASGs, launch templates, or VPCs. Because the scanner workloads run on the Upwind side, the compute-related SCPs and service quotas in your accounts do not apply to the install, the scanner compute cost sits with Upwind, and Upwind operates and scales the scanner fleet.
Outpost
Cloud Scanners are deployed and run inside your own AWS environment. Upwind provisions the scanner stack (workers, ASGs, scaling and cleanup lambdas, supporting IAM roles and networking) into the AWS Organization you onboard, and the platform interacts with those scanners over the cross-account IAM roles created during onboarding.
All scanner workloads run inside your AWS Organization, so no customer data is read into Upwind-managed AWS accounts at scan time. The scanner ASGs, lambdas, and networking live in your accounts, where they are subject to your own SCPs, tagging, logging, and security tooling like any other workload in your tenancy. Outpost supports both AWS Organization and single-account onboarding, across CloudFormation and Terraform, and includes migration tooling for organizations moving from the legacy 3-stack model.
Quick comparison
| Consideration | SaaS | Outpost |
|---|---|---|
| Data leaves customer environment | Yes (ephemeral snapshot copy) | No |
| Scanner compute billed by | Upwind subscription | Your AWS account |
| Deployment in customer account | IAM roles only | ASGs, Lambdas, supporting resources |
| Supported features | All | All |
Get started
- SaaS: see Architecture, Prerequisites, and Onboarding flow.
- Outpost: see Overview and Instructions. Already onboarded with the legacy 3-stack model? See Migration.
The AWS terminology used throughout this documentation aligns with the Terminology and concepts for AWS Organizations.