Start here

Getting started with Axiom.

Sign up, connect AWS via IAM role, run your first scan, and review findings — typically under 5 minutes. Nothing changes in your cloud without your explicit approval.

What you'll do in this guide

Create an Axiom account, generate a read-only IAM role in AWS, paste the Role ARN, run your first scan, and review the findings + execution plan. No changes are applied to your infrastructure during this flow.

00 · Before you begin

Prerequisites

An AWS account where you have permission to create an IAM role
~5 minutes
A web browser (no CLI required for the first scan)

Step 1 — Create your Axiom account

Sign up at /auth/signup

Visit /auth/signup and create an account with your work email. No credit card required for the free tier.

You'll land in the dashboard. The dashboard has six tiles: Connect Cloud, Topology, Memory, Workflows, ReleaseOps, Operations, Resilience, and Desktop Agent.

Step 2 — Connect AWS

Open Cloud Operator onboarding

From the dashboard click Connect Cloud, or go directly to /operator/onboarding.

The onboarding wizard walks you through five steps: provider selection → IAM role creation → ARN paste → connection test → first scan.

Generate a read-only IAM role

Axiom shows you the exact role policy to attach and an External ID to prevent confused-deputy attacks. Either:

Use the one-click CloudFormation launch button (recommended)
Or create the role manually in IAM with the trust policy and permissions Axiom displays

See AWS setup for the exact policy, what each permission does, and why each one is needed.

Paste the Role ARN + test the connection

Paste the Role ARN back into Axiom. The connection test calls sts:AssumeRole with the External ID, then runs a no-op sts:GetCallerIdentity to confirm read access.

response · connection test{
  "status": "connected",
  "accountId": "123456789012",
  "callerArn": "arn:aws:sts::123456789012:assumed-role/axiom-agent-role/...",
  "permissions": "read-only",
  "regions": ["us-east-1", "us-west-2"]
}

Step 3 — Run your first scan

Trigger the initial scan

Click Run scan. Axiom enumerates EC2 instances, S3 buckets, RDS databases, IAM resources, security groups, and other supported resource types across your selected regions.

A typical first scan completes in 60–180 seconds. Progress is visible in real time via the activity feed at /dashboard/command-center.

Review findings

Findings are grouped by category (cost, security, drift, performance, compliance) and severity. Each finding includes affected resources, severity reasoning, recommended action, and an estimated monthly impact.

Review the execution plan

Axiom generates a phased execution plan grouping low-risk fixes together. Each plan item includes:

Affected resources + current state vs. recommended state
Generated Terraform (or CLI commands)
Blast radius classification
Pre-verified rollback strategy with measured RTO
Approval requirements

See execution plans (doc coming) for the full lifecycle.

04 · Self-serve trust

What just happened — trust questions

Every major flow answers the same questions. Here are the answers for the onboarding + first scan flow:

What just happened?

Axiom assumed a read-only IAM role in your AWS account and enumerated infrastructure across the regions you selected.

What access does Axiom have?

Read-only: List/Describe/Get on EC2, S3, RDS, IAM, CloudWatch, and a few related services. No write or delete permissions exist in the role.

What does Axiom store?

Resource metadata (instance type, region, tags) and finding records. We never store access keys, secret material, or contents of buckets/databases.

Can I revoke access?

Yes — delete the IAM role in your AWS console. Axiom immediately loses all access. We will detect the disconnection and stop attempting to assume.

What happens next?

Findings + execution plan show in the dashboard. No changes are applied to your infrastructure unless you explicitly approve an execution plan item.

What if it fails?

Connection tests, scans, and executions all surface an exact failure reason. See troubleshooting for common errors and fixes.

Next steps

→ AWS setup (deep dive) · the full policy, permissions explained, and edge cases
→ Security model · how Axiom isolates tenants, encrypts data, and avoids storing secrets
→ Troubleshooting · common errors during onboarding and scanning

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs