> ## Documentation Index
> Fetch the complete documentation index at: https://docs.quiverstone.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> Welcome to Quiverstone — the multi-account AWS management platform for MSPs, consultants, and enterprises

Quiverstone is a multi-account AWS management platform for Managed Service Providers (MSPs), cloud consultants, and organizations running estates of tens, hundreds, or thousands of AWS accounts. It gives you a single pane of glass for discovering accounts, managing access, and jumping into AWS consoles with scoped IAM credentials.

This page is a guided tour. If you're already oriented and just want to get hands-on, jump straight to [Getting started](#getting-started).

## What Quiverstone gives you

### Multi-account inventory

* **AWS Organizations discovery** — deploy a read-only inventory role in your management or delegated administrator account and Quiverstone automatically imports every member account.
* **Standalone accounts** — add individual AWS accounts outside an Organization.
* **Continuous updates** — new accounts in your Organizations appear automatically; existing accounts stay in sync.

### Access control and role assumption

* **IAM role deployment** — pre-built CloudFormation templates for direct, chained, browser-switch, and StackSet deployments.
* **External ID enforcement** — all production templates require External IDs to prevent confused-deputy attacks.
* **One-click role assumption** — jump from a Quiverstone Account into the AWS console with temporary credentials.
* **Chained access** — route role assumptions through a trusted intermediate account you control.

### Collaboration and governance

* **Teams** — separate the people who *manage* your AWS inventory (`SETTINGS` teams) from the people who *consume* it (`ACCESS` teams).
* **Groups** — share specific Organizations, Accounts, and Customers with specific users or teams, scoped to specific IAM roles.
* **Customer records** — track the business entities behind your AWS accounts for MSP and consulting workflows.
* **Audit trail** — every role assumption is logged both in Quiverstone and in CloudTrail.

## Who Quiverstone is for

**Managed Service Providers.** Manage hundreds of customer AWS Organizations from one workspace. Give each customer engagement its own team and Group. Hand customers self-service role deployment via the [Service Catalog](/setup/service-catalog).

**Cloud consultants.** Spin up lightweight workspaces for short-term engagements. The [Consultant tier](/subscriptions/consultant-quickstart) is purpose-built for two- or three-person practices.

**Enterprise platform teams.** Centralize access across dozens or hundreds of internal accounts. Use `SETTINGS` teams to keep the inventory under tight administrative control while delegating scoped, audit-friendly access to operators via Groups.

**DevOps and SRE teams.** Quickly jump into any of your AWS accounts with the right permission level, without juggling profiles or remembering role ARNs.

## Core concepts

### Subscription tiers

Quiverstone has four tiers — Free, Consultant, Pro, and Enterprise — that gate how many people can collaborate and how access is shared. Start with the [Subscriptions & Tiers](/subscriptions) overview for the full matrix.

### Organizations, Accounts, and Customers

* **Organizations** represent AWS Organizations. Add the management or delegated administrator account and Quiverstone discovers the member accounts automatically.
* **Accounts** are individual AWS accounts — either inventoried from an Organization or added standalone.
* **Customers** are the business entities that own your Organizations and Accounts. Useful for MSP and consulting workflows.

### Teams, Groups, and Roles

* **Teams** group users. `SETTINGS` teams manage the inventory; `ACCESS` teams consume it.
* **Groups** (Pro and Enterprise) are the mechanism for sharing specific resources with specific `ACCESS` teams and attaching IAM roles they can assume.
* **Roles** are saved AWS IAM role configurations that Groups use to grant scoped AWS access.

See the [Workspace](/setup/teams) section for the full model.

### IAM roles and access patterns

Quiverstone uses AWS IAM roles with External IDs for every piece of AWS access it performs. The [IAM Roles Overview](/setup/iam-roles) explains the three supported patterns — direct, chained, and browser-switch — and helps you pick the right one for your security posture.

## Getting started

<CardGroup cols={2}>
  <Card title="Subscriptions & Tiers" icon="layer-group" href="/subscriptions">
    Understand what each tier unlocks before you start inviting people.
  </Card>

  <Card title="Consultant Quickstart" icon="rocket" href="/subscriptions/consultant-quickstart">
    Set up a small shared workspace in under ten minutes.
  </Card>

  <Card title="Add an Organization" icon="building" href="/setup/organizations">
    Connect your first AWS Organization and auto-discover member accounts.
  </Card>

  <Card title="Add a Standalone Account" icon="server" href="/setup/accounts">
    Bring individual AWS accounts into Quiverstone.
  </Card>

  <Card title="Deploy IAM Roles" icon="key" href="/setup/iam-roles">
    Pick direct, chained, or browser-switch access and deploy the CloudFormation templates.
  </Card>

  <Card title="Service Catalog" icon="book" href="/setup/service-catalog">
    Give customers self-service role deployment through AWS Service Catalog.
  </Card>
</CardGroup>

## Security model

Quiverstone follows AWS security best practices throughout:

* **Least privilege.** Inventory roles are read-only; access roles default to `ReadOnlyAccess` and require explicit opt-in for elevated permissions.
* **External IDs.** Required for production deployments to prevent confused-deputy attacks.
* **No persistent credentials.** All AWS access uses temporary STS credentials.
* **Custom role names.** Templates strongly recommend replacing default names to reduce role discoverability.
* **CloudTrail.** Every `AssumeRole` call is captured in your AWS account's CloudTrail, in addition to Quiverstone's own audit log.

For the full security guidance, see the [Access Roles Reference](/setup/iam-roles/access#security-best-practices).

## Resources

* **CloudFormation templates** — pre-built and version-controlled at [github.com/quiverstone/quiverstone-roles-catalog](https://github.com/quiverstone/quiverstone-roles-catalog).
* **Changelog** — [quiverstone.canny.io/changelog](https://quiverstone.canny.io/changelog).
* **Support** — email [support@quiverstone.io](mailto:support@quiverstone.io).
