> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/settings/aws-configurations.md). # AWS Configurations **AWS Configurations** Amazon Web Services Integration – Step-by-Step Requirements To integrate FSProtect with Amazon Web Services, specific IAM permissions must be granted to the IAM user or role used for scanning. This guide outlines how to create the required IAM user and permissions using the AWS Console, as well as an optional AWS CLI alternative. *** **Step 1: Sign in to the AWS Console** Sign in to the AWS Management Console at console.aws.amazon.com. Navigate to **IAM (Identity and Access Management)** from the Services menu.

Navigating to IAM in the AWS Management Console — Search for "IAM" in the search bar to access Identity and Access Management.

*** **Step 2: Create an IAM User for FSProtect** Go to **IAM > Users** and click **Add users**.

Create user

Enter a username (e.g., `forestall-collector`). Select **Access key – Programmatic access** as the credential type. Click **Next: Permissions**.

Create User

*** **Step 3: Create and Attach an IAM Policy** Select **Attach existing policies directly** and click **Create policy**.

Set Permissions

Switch to the **JSON** tab and paste the following policy:

Policy Editor

```json { "Version": "2012-10-17", "Statement": [ { "Sid": "FSProtectRequired", "Effect": "Allow", "Action": [ "iam:ListUsers", "iam:ListGroups", "iam:ListRoles", "iam:ListPolicies", "iam:GetUser", "iam:GetGroup", "iam:GetRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListUserPolicies", "iam:ListGroupPolicies", "iam:ListRolePolicies", "iam:GetUserPolicy", "iam:GetGroupPolicy", "iam:GetRolePolicy", "iam:ListPolicyVersions", "iam:ListRoleTags", "iam:ListUserTags" ], "Resource": "*" }, { "Sid": "FSProtectOptional", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:GetAccessKeyLastUsed" ], "Resource": "*" } ] } ``` Click **Next: Tags**, then **Next: Review**. Give the policy a name (e.g., `FSProtectScanPolicy`) and click **Create policy**. Go back to the user creation, search for and attach the `FSProtectScanPolicy`. Click **Next: Review** and then **Create user**.

Review And Create

*** **Step 4: Copy Access Key Credentials**

Security Credentials

After the user is created, copy the **Access Key ID** and **Secret Access Key**.

Create Access Key

> ⚠️ The Secret Access Key is only shown once. Save it securely before closing the page. *** **Step 5: (Optional) Set Up Cross-Account Role for Assume Role** If you want to use Assume Role instead of direct access keys: Go to **IAM > Roles** and click **Create role**. Select **Another AWS account** and enter the account ID of the account where FSProtect runs. Optionally enable **Require external ID** and enter a unique value. Attach the `FSProtectScanPolicy` to the role. Name the role (e.g., `FSProtectAssumeRole`) and click **Create role**. Copy the **Role ARN** — you will use this in the FSProtect AWS Configuration as the **Assume Role ARN**. *** **Step 6: AWS Configuration in FSProtect** Navigate to **Settings > AWS Configuration** in FSProtect and fill in the fields.

AWS Configuration

*** **AWS Configuration Fields** | Field | Description | | -------------------------- | -------------------------------------------------------------------------- | | Region | The AWS region type of the account (Commercial, GovCloud, or China). | | Account ID | The 12-digit AWS account ID to be scanned. | | Access Key ID | The access key ID of the IAM user created for FSProtect. | | Secret Access Key | The secret access key associated with the provided Access Key ID. | | Assume Role ARN (optional) | The ARN of the IAM role to assume for cross-account access. | | External ID (optional) | An optional external ID used for additional security when assuming a role. | | Session Name | The session name used when assuming a role. Defaults to FSProtect. | | Account Display Name | A friendly name to identify this AWS account within FSProtect. | **Actions** **Test** — Validates the AWS configuration by attempting to authenticate and verify permissions. Use this to ensure your configuration is correct before saving. **Save** — Saves the current configuration settings to the application. *** **(Optional) AWS CLI Alternative** If you prefer to automate IAM user and policy creation using the AWS CLI: ```bash # Create IAM user aws iam create-user --user-name forestall-collector # Create policy file (save above JSON as fsprotect-policy.json) aws iam create-policy \ --policy-name FSProtectScanPolicy \ --policy-document file://fsprotect-policy.json # Attach policy to user (replace ACCOUNT_ID) aws iam attach-user-policy \ --user-name forestall-collector \ --policy-arn arn:aws:iam::ACCOUNT_ID:policy/FSProtectScanPolicy # Create access key aws iam create-access-key --user-name forestall-collector ``` > The output will include the `AccessKeyId` and `SecretAccessKey`. Save these values before proceeding. *** **Best Practices** * **Least Privilege** — Only grant the minimum permissions required for FSProtect to function. * **Key Rotation** — Regularly rotate access keys (recommended every 90 days or per your security policy). * **Use Assume Role** — Where possible, prefer Assume Role over long-lived access keys for improved security. * **Permission Review** — Periodically review granted permissions and remove any that are no longer needed. * **Testing** — Always use the "Test" button to validate configuration before saving changes. *** **Troubleshooting** **Authentication Fails** * Verify the Access Key ID and Secret Access Key are correct and have not been deactivated. * Ensure the IAM user is active and not restricted by an SCP (Service Control Policy). **Permission Denied Errors** * Confirm all required permissions are included in the attached policy. * Check if an SCP at the AWS Organization level is blocking the actions. * Verify the IAM user or role has the policy correctly attached. **Configuration Won't Save** * Ensure all required fields are filled. * Verify the Account ID is a valid 12-digit number. * Check that the Test passes successfully before saving. *** **Required AWS IAM Permissions** **1. iam:ListUsers / iam:GetUser** Grants read access to IAM user objects across the account. Required to enumerate all users and retrieve their attributes for identity analysis. **2. iam:ListGroups / iam:GetGroup** Grants read access to IAM groups. Required to map group memberships and evaluate group-level access control. **3. iam:ListRoles / iam:GetRole** Grants read access to IAM roles. Required to enumerate roles, their trust policies, and assess privilege escalation paths. **4. iam:ListPolicies / iam:GetPolicy / iam:GetPolicyVersion** Grants read access to IAM managed policies and their document content. Required to analyze effective permissions and identify overly permissive policies. **5. iam:ListGroupsForUser** Allows retrieval of the groups a specific IAM user belongs to. Required to build complete user-to-group-to-policy relationships. **6. iam:ListAttachedUserPolicies / iam:ListAttachedGroupPolicies / iam:ListAttachedRolePolicies** Grants access to the list of managed policies attached to users, groups, and roles. Required for full policy coverage analysis. **7. iam:GetUserPolicy / iam:GetGroupPolicy / iam:GetRolePolicy** Grants read access to inline policies embedded in users, groups, and roles. Required to detect hidden or non-standard permission grants. *** **Optional AWS IAM Permissions for Enhanced Functionality** **1. iam:ListAccessKeys** Grants read access to access key metadata for IAM users. Required to detect inactive, unused, or overly aged access keys as a security risk indicator. **2. iam:GetAccessKeyLastUsed** Provides the last used date and service information for each access key. Required to identify stale credentials that may pose a security risk. > ⚠️ These permissions are optional but strongly recommended for complete IAM access key visibility and security assessment coverage. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/settings/aws-configurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.