CloudSploit uses the AWS-recommended best practice for connecting: a third-party cross-account role. This is an IAM role that you create and then give CloudSploit the permission to assume. Even if a malicious user obtained the role information, they could not assume it from any AWS account other than CloudSploit's. CloudSploit then uses this role to make AWS API calls to your account.