← All integrations
Live integration

AWS

Cloud · Cross-account IAM role · Daily

Cross-account IAM-role auth. Pulls IAM (root MFA, MFA coverage, password policy), CloudTrail (multi-region logging), S3 (account public-access block), and GuardDuty (status + high-severity findings).

Authentication
Cross-account IAM role
Sync cadence
Daily
Stale threshold
Every 2 days
Category
Cloud

Evidence this connector produces

Every sync writes typed evidence rows linked to the controls below. Evidence is immutable once attached to an approved assessment, fingerprinted for de-dup, and surfaced in the control coverage calculation on your dashboard.

SOC 2 CC6.1CC6.6CC7.1CC7.2

How to connect

Create a cross-account IAM role in your AWS account that ThirdSentry can assume read-only. Takes ~5 minutes.

  1. 1
    Choose an external ID

    Generate any 8–256 character string you'll keep private. This is the secret that proves AWS calls are coming from ThirdSentry on your behalf.

  2. 2
    Create the IAM role

    In the AWS Console → IAM → Roles → Create role. Choose 'Custom trust policy' and paste the JSON below. Replace <your-external-id> with the ID you generated.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "<NEXT_PUBLIC_TS_AWS_PRINCIPAL_ARN not set>" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<your-external-id>" }
      }
    }
  ]
}
  3. 3
    Attach read-only policies

    Attach the AWS-managed policies SecurityAudit and ReadOnlyAccess. These are sufficient for IAM, CloudTrail, S3, and GuardDuty reads.

  4. 4
    Copy the role ARN

    After saving, copy the role ARN (looks like arn:aws:iam::123456789012:role/ThirdSentry) and paste it into the form alongside your external ID.

Security model

Every connector ships behind the same auditor-grade primitives — not just RBAC config, but architectural enforcement.

Credentials KMS-encrypted at rest

Tokens, client secrets, and service-account keys are encrypted under a per-tenant AWS KMS data key. The plaintext is never persisted, never logged, and never leaves the FastAPI process boundary.

Tenant-isolated by architecture

Every Connection, ConnectorRun, and emitted Evidence row carries an organization ObjectId. The scheduler never iterates without an org-scoped filter; cross-tenant evidence bleed is impossible at the data layer.

Audit log on every action

Connect, sync, sync-failure, re-auth, and revoke each write a row to the immutable AuditLog. The full lifecycle is reconstructable for any examiner.

Soft-delete on revoke

Revoking a connection sets deletedAt and clears the encrypted credential blob, but the historical evidence + sync log stays queryable for the retention window. Auditors can still trace what was attested when.

Stale-evidence degradation

If this connector hasn't synced in Every 2 days, control coverage degrades automatically and an alert fires. Auditors don't trust stale evidence — neither do we.

Least-privilege scopes only

We request the minimum read-only scopes needed for the listed evidence. No write scopes, no admin scopes, no scopes outside the documented set.

Ready to connect AWS?

Connect from Settings → Integrations — typically under 5 minutes. Or talk to us first.

Request a demoSign in to connect