# AWS

Connecting AWS to SureCloud enables continuous visibility into your cloud infrastructure — automatically collecting configuration evidence, detecting control failures, and surfacing security findings across your AWS estate.

SureCloud monitors IAM hygiene, audit logging, encryption posture, network security, vulnerability findings, and more — pulling directly from AWS APIs on a scheduled basis so your controls stay evidenced without manual effort.

## What SureCloud Monitors

| Service      | What is monitored                                            |
| ------------ | ------------------------------------------------------------ |
| IAM          | Users, roles, MFA status, password policy, access key age    |
| CloudTrail   | Trail enablement, multi-region coverage, log integrity       |
| AWS Config   | Configuration recording status and rule compliance           |
| S3           | Bucket encryption, public access blocks, versioning, logging |
| Security Hub | Aggregated security findings across standards                |
| EC2 & VPC    | Security groups, flow logs, volume encryption, snapshots     |
| GuardDuty    | Threat detection enablement and active findings              |
| KMS          | Key inventory, rotation status, access policies              |
| RDS          | Instance encryption, backups, public accessibility           |
| CloudWatch   | Alarms, log group retention, CIS metric filters              |

## Authentication

SureCloud connects to AWS using a **cross-account IAM Role**, assumed via AWS Secure Token Service (STS). This is AWS's recommended pattern for secure third-party integrations — no credentials are stored by SureCloud.

{% stepper %}
{% step %}

#### Create a cross-account IAM Role

In the AWS IAM console, create a new role and configure the trust relationship to allow SureCloud to assume it. Use the **Account ID** and **External ID** provided in your SureCloud integration settings.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SURECLOUD_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<YOUR_EXTERNAL_ID>"
        }
      }
    }
  ]
}
```

{% hint style="warning" %}
Always include the `sts:ExternalId` condition. This prevents the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html), where another AWS customer could trick SureCloud into accessing your account.
{% endhint %}
{% endstep %}

{% step %}

#### Attach a permissions policy

Attach the following AWS managed policies to the role:

* **`SecurityAudit`** — read access for security-relevant configuration
* **`ReadOnlyAccess`** — general read access across services

For least-privilege deployments, use the minimal custom policy provided in each service sub-page instead.
{% endstep %}

{% step %}

#### Register the Role ARN in SureCloud

In **SureCloud → Integrations → AWS**, enter:

* **Role ARN** — e.g. `arn:aws:iam::123456789012:role/SureCloudRole`
* **External ID** — copied from your SureCloud integration settings
* **AWS Region(s)** — select every region you want SureCloud to monitor
* **Account name** — a label to identify this account in SureCloud

Click **Test Connection** to verify SureCloud can successfully assume the role.
{% endstep %}
{% endstepper %}

## Multi-Account Setup

For AWS Organisations, repeat the role creation for each member account and register each Role ARN in SureCloud as a separate account. Use **CloudFormation StackSets** to deploy the IAM role consistently across all accounts in one operation.

{% tabs %}
{% tab title="StackSet deployment" %}
Deploy the SureCloud IAM role to all accounts in your organisation using StackSets. This ensures coverage is maintained as new accounts are created.

```yaml
DeploymentTargets:
  OrganizationalUnitIds:
    - ou-xxxx-xxxxxxxx
Regions:
  - us-east-1
  - eu-west-1
```

Run the StackSet from your management account, targeting the OUs you want SureCloud to monitor.
{% endtab %}

{% tab title="Per-account setup" %}
For standalone accounts without AWS Organisations, create the IAM role manually in each account and register each Role ARN separately in SureCloud. Assign distinct account names to tell them apart in the SureCloud UI.
{% endtab %}
{% endtabs %}

## Polling Frequency

| Data Type                  | Interval       |
| -------------------------- | -------------- |
| IAM credential report      | Every 24 hours |
| CloudTrail trail status    | Every 24 hours |
| Config rule compliance     | Every 6 hours  |
| Security Hub findings      | Every 4 hours  |
| GuardDuty findings         | Every 4 hours  |
| EC2, S3, RDS configuration | Every 24 hours |

{% hint style="info" %}
To reduce detection latency to near-real-time, configure **Amazon EventBridge** to push Security Hub and GuardDuty findings to SureCloud's webhook endpoint. Contact SureCloud support to enable this for your account.
{% endhint %}

## Troubleshooting

<details>

<summary>Test Connection fails with "Access Denied"</summary>

Verify that:

1. The SureCloud Account ID in the trust policy matches exactly what is shown in your SureCloud integration settings.
2. The External ID in the trust policy matches exactly — it is case-sensitive.
3. The permissions policy has been attached to the role, not just saved as an inline policy draft.

</details>

<details>

<summary>External ID mismatch error on AssumeRole</summary>

The External ID must exactly match the value shown in SureCloud. Re-copy it from **SureCloud → Integrations → AWS** and update the trust policy. Some SureCloud workflows generate a new External ID on reconnect — always use the value currently shown in the UI.

</details>

<details>

<summary>Findings appear in some regions but not others</summary>

GuardDuty, Security Hub, and AWS Config must each be enabled per region. SureCloud cannot collect evidence from a service that has not been activated in a given region. Verify that the relevant services are enabled in every region registered in SureCloud.

</details>

## Service Pages

Detailed endpoint documentation, use cases, and per-service IAM permissions are covered in the following sub-pages:

* [IAM](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/iam.md)
* [CloudTrail](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/cloudtrail.md)
* [AWS Config](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/config.md)
* [S3](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/s3.md)
* [Security Hub](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/security-hub.md)
* [EC2 & VPC](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/ec2-vpc.md)
* [GuardDuty](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/guardduty.md)
* [KMS](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/kms.md)
* [RDS](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/rds.md)
* [CloudWatch](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws/cloudwatch.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.