Skip to main content
Quiverstone is a multi-account AWS management platform for Managed Service Providers (MSPs), cloud consultants, and organizations running estates of tens, hundreds, or thousands of AWS accounts. It gives you a single pane of glass for discovering accounts, managing access, and jumping into AWS consoles with scoped IAM credentials. This page is a guided tour. If you’re already oriented and just want to get hands-on, jump straight to Getting started.

What Quiverstone gives you

Multi-account inventory

  • AWS Organizations discovery — deploy a read-only inventory role in your management or delegated administrator account and Quiverstone automatically imports every member account.
  • Standalone accounts — add individual AWS accounts outside an Organization.
  • Continuous updates — new accounts in your Organizations appear automatically; existing accounts stay in sync.

Access control and role assumption

  • IAM role deployment — pre-built CloudFormation templates for direct, chained, browser-switch, and StackSet deployments.
  • External ID enforcement — all production templates require External IDs to prevent confused-deputy attacks.
  • One-click role assumption — jump from a Quiverstone Account into the AWS console with temporary credentials.
  • Chained access — route role assumptions through a trusted intermediate account you control.

Collaboration and governance

  • Teams — separate the people who manage your AWS inventory (SETTINGS teams) from the people who consume it (ACCESS teams).
  • Groups — share specific Organizations, Accounts, and Customers with specific users or teams, scoped to specific IAM roles.
  • Customer records — track the business entities behind your AWS accounts for MSP and consulting workflows.
  • Audit trail — every role assumption is logged both in Quiverstone and in CloudTrail.

Who Quiverstone is for

Managed Service Providers. Manage hundreds of customer AWS Organizations from one workspace. Give each customer engagement its own team and Group. Hand customers self-service role deployment via the Service Catalog. Cloud consultants. Spin up lightweight workspaces for short-term engagements. The Consultant tier is purpose-built for two- or three-person practices. Enterprise platform teams. Centralize access across dozens or hundreds of internal accounts. Use SETTINGS teams to keep the inventory under tight administrative control while delegating scoped, audit-friendly access to operators via Groups. DevOps and SRE teams. Quickly jump into any of your AWS accounts with the right permission level, without juggling profiles or remembering role ARNs.

Core concepts

Subscription tiers

Quiverstone has four tiers — Free, Consultant, Pro, and Enterprise — that gate how many people can collaborate and how access is shared. Start with the Subscriptions & Tiers overview for the full matrix.

Organizations, Accounts, and Customers

  • Organizations represent AWS Organizations. Add the management or delegated administrator account and Quiverstone discovers the member accounts automatically.
  • Accounts are individual AWS accounts — either inventoried from an Organization or added standalone.
  • Customers are the business entities that own your Organizations and Accounts. Useful for MSP and consulting workflows.

Teams, Groups, and Roles

  • Teams group users. SETTINGS teams manage the inventory; ACCESS teams consume it.
  • Groups (Pro and Enterprise) are the mechanism for sharing specific resources with specific ACCESS teams and attaching IAM roles they can assume.
  • Roles are saved AWS IAM role configurations that Groups use to grant scoped AWS access.
See the Workspace section for the full model.

IAM roles and access patterns

Quiverstone uses AWS IAM roles with External IDs for every piece of AWS access it performs. The IAM Roles Overview explains the three supported patterns — direct, chained, and browser-switch — and helps you pick the right one for your security posture.

Getting started

Subscriptions & Tiers

Understand what each tier unlocks before you start inviting people.

Consultant Quickstart

Set up a small shared workspace in under ten minutes.

Add an Organization

Connect your first AWS Organization and auto-discover member accounts.

Add a Standalone Account

Bring individual AWS accounts into Quiverstone.

Deploy IAM Roles

Pick direct, chained, or browser-switch access and deploy the CloudFormation templates.

Service Catalog

Give customers self-service role deployment through AWS Service Catalog.

Security model

Quiverstone follows AWS security best practices throughout:
  • Least privilege. Inventory roles are read-only; access roles default to ReadOnlyAccess and require explicit opt-in for elevated permissions.
  • External IDs. Required for production deployments to prevent confused-deputy attacks.
  • No persistent credentials. All AWS access uses temporary STS credentials.
  • Custom role names. Templates strongly recommend replacing default names to reduce role discoverability.
  • CloudTrail. Every AssumeRole call is captured in your AWS account’s CloudTrail, in addition to Quiverstone’s own audit log.
For the full security guidance, see the Access Roles Reference.

Resources