Connect Your Infrastructure

Most Common

☁️

Amazon Web Services

Connect via IAM Role with cross-account trust. No access keys required.

🔷

Microsoft Azure

Connect via Entra ID Service Principal with Reader role at subscription scope.

No setup needed

🌐

Website / Domain

Enter any public domain. We scan DNS, SSL, ports, and security headers instantly.

🔒

Read-only access, always. Sentinel Stacks never modifies your infrastructure. We only read public information to detect security misconfigurations.

Enter your domain

We'll scan it for DNS, SSL, ports, security headers, and exposed paths.

Domain *

Enter a domain without https:// (e.g. sentinelstacks.com). Subdomains supported.

Company Name *

Work Email *

Scanning your domain

This takes 10–20 seconds. Hang tight.

—

○

DNS records & email security

○

SSL/TLS certificate analysis

○

HTTP security headers

○

Open port detection

○

Exposed paths & credentials

Initiating scan...

Your account details

We'll use these to set up your monitoring profile.

Company Name *

Work Email *

Create the IAM Role

Follow these steps in your AWS Console (takes ~3 minutes).

1

Open IAM in the AWS Console

Navigate to IAM → Roles → Create role. Select "AWS account" as the trusted entity type, then choose "Another AWS account."

2

Paste the Trust Policy

Switch to the JSON editor and replace the policy with the snippet below. This grants Sentinel Stacks permission to assume the role using your unique External ID.

trust-policy.json

3

Name the role `SentinelStacks-CloudScanner`

Continue to the next page, and set the role name to exactly SentinelStacks-CloudScanner. This name must match what we expect.

4

Attach the required policies

Search for and attach each of the following AWS managed policies to the role:

✓ SecurityAudit

✓ ReadOnlyAccess

✓ AmazonGuardDutyReadOnlyAccess

✓ AWSConfigUserAccess

✓ AWSSecurityHubReadOnlyAccess

5

Copy your Role ARN

After creating the role, click on it and copy the ARN from the summary page (format: arn:aws:iam::123456789012:role/SentinelStacks-CloudScanner). You'll paste it on the next step.

Create a Service Principal

Run these commands in Azure CLI or follow the portal steps.

💡

You need the Azure CLI installed, or you can use Azure Cloud Shell (no install needed — open it from the Azure Portal top bar).

1

Create the App Registration & Service Principal

Run this command to create the service principal. Save the output — you'll need the appId and password values.

Azure CLI

az ad sp create-for-rbac \
  --name "SentinelStacks-SIEM" \
  --role "Reader" \
  --scopes /subscriptions/<YOUR_SUBSCRIPTION_ID>

2

Assign Defender for Cloud Reader role

Replace <APP_ID> and <SUBSCRIPTION_ID> with your values:

Azure CLI

az role assignment create \
  --assignee <APP_ID> \
  --role "Security Reader" \
  --scope /subscriptions/<SUBSCRIPTION_ID>

3

Required roles (subscription scope)

✓ Reader

✓ Security Reader

4

Collect your credentials

From the CLI output, gather: Tenant ID (your Azure directory ID), Client ID (the appId), Client Secret (the password), and Subscription ID.

Enter your Role ARN

Paste the ARN from the IAM role you just created.

Your External ID (pre-generated)

This was embedded in the trust policy. Keep it — it confirms the role was created specifically for you.

IAM Role ARN *

Found in IAM → Roles → SentinelStacks-CloudScanner → Summary

Enter your Azure credentials

From the Service Principal you created. The secret is encrypted immediately and never logged.

Tenant ID (Directory ID) *

Client ID (Application ID) *

Client Secret *

AES-256-GCM encrypted before storage. Never logged or displayed again.

Subscription ID *

✓

Connected!

Sentinel Stacks is now monitoring your environment. Your first scan will appear in the dashboard within minutes.

View Dashboard →