Skip to main content

Connect AWS to StackGuardian

Overview

StackGuardian provides three main approaches for authenticating your workloads or running discovery against an AWS account:

AWS RBAC Role

This method uses cross-account IAM role assumption with an External ID. It is the recommended approach for securely granting StackGuardian access to your AWS account without storing long-lived credentials.

CloudFormation Quick Setup

A pre-configured CloudFormation template can be used to create an IAM role with custom or AWS managed policies. This allows for the role and policy to be set up without accessing the StackGuardian platform.

For EU Region: Create IAM Role with CloudFormation

For US Region: Create IAM Role with CloudFormation

Contact your StackGuardian representative if you're unsure which region to use.

Step 1. Create an IAM Role in AWS

  1. Sign in to the AWS Management Console and navigate to IAM → Roles → Create role.
  2. Select Custom trust policy as the trusted entity type.
  3. Replace the contents of the trust policy editor with the following, substituting your own External ID: 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::476299211833:root",
              "arn:aws:iam::163602625436:root"
            ]
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<org-name>:<random-string>"
            }
          }
        }
      ]
    }
    The External ID must follow the format <org-name>:<random-string> — for example, myorg:abc12345.
  4. Click Next and assign the required permissions policy:
    • For discovery/read-only access: attach ReadOnlyAccess
    • For deployment access: attach permissions tailored to the resources StackGuardian will manage
  5. Give the role a descriptive name such as StackGuardianIntegrationRole, then click Create Role.
  6. Copy the Role ARN — you will need it in the next step.

Step 2. Create the Connector in StackGuardian

  1. In StackGuardian, navigate to Connectors → Cloud Providers.

  2. Click Connect with Cloud Provider.

  3. Add a Connector name.

  4. Input the Role ARN and External ID from Step 1.

  5. Click Create to finalize the connector.

This method uses OpenID Connect (OIDC) federation to allow StackGuardian to authenticate to AWS using temporary credentials — no long-lived secrets required.

important

For US Region, use https://api.us.stackguardian.io as Provider URL and Audience.

Step 1. Create an OIDC Identity Provider in AWS

  1. In the AWS Management Console, go to IAM → Identity Providers → Add provider.
  2. Select OpenID Connect as the provider type.
  3. Enter the Provider URL and Audience based on your region:
    • For EU Region: https://api.app.stackguardian.io
    • For US Region: https://api.us.stackguardian.io
  4. Click Add provider.

Step 2. Create an IAM Role for the OIDC Provider

  1. In IAM → Roles → Create role, select Web Identity as the trusted entity type.
  2. Choose the identity provider you just created
    • For EU Region: https://api.app.stackguardian.io
    • For US Region: https://api.us.stackguardian.io
  3. Select the audience:
    • For EU Region: https://api.app.stackguardian.io
    • For US Region: https://api.us.stackguardian.io
  4. Assign the required permissions:
    • For discovery/read-only access: attach ReadOnlyAccess
    • For deployment access: attach the least permissions required for your use case
  5. Name the role and click Create Role.
  6. Copy the Role ARN — you will need it for the final step.

Step 3. Update the Trust Policy

Navigate to your newly created role → Trust relationshipsEdit trust policy and apply the following, replacing the placeholder values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:oidc-provider/api.app.stackguardian.io"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "api.app.stackguardian.io:aud": "https://api.app.stackguardian.io"
        },
        "StringLike": {
          "api.app.stackguardian.io:sub": "/orgs/<YOUR_SG_ORG>"
        }
      }
    }
  ]
}
  • Replace <YOUR_AWS_ACCOUNT_ID> with your AWS account ID.
  • Replace <YOUR_SG_ORG> with your StackGuardian organization name.

Step 4. Create the Connector in StackGuardian

  1. In StackGuardian, navigate to Connectors → Cloud Providers.
  2. Click Connect with Cloud Provider.
  3. Add a Connector name.
  4. Input the Role ARN from Step 2.
  5. Click Create to finalize the connector.

Access Key

This method uses a static AWS access key and secret. It is the simplest method but the least recommended, as it involves long-lived credentials.

Step 1. Create an IAM User in AWS

  1. In the AWS Management Console, navigate to IAM → Users → Create user.
  2. Provide a username (e.g., stackguardian-user).
  3. Select Access key - Programmatic access as the AWS access type.
  4. Attach the necessary policies to allow StackGuardian to manage your AWS infrastructure:
    • For discovery/read-only access: attach ReadOnlyAccess
    • For deployment access: attach the least permissions required for your use case
  5. Complete the user creation and copy the generated Access Key ID and Secret Access Key — these will not be shown again.

Step 2. Create the Connector in StackGuardian

  1. In StackGuardian, navigate to Connectors → Cloud Providers.
  2. Click Connect with Cloud Provider.
  3. Add a Connector name.
  4. Provide the following values:
    • Access Key ID
    • Secret Access Key
    • Default AWS Region
  5. Click Create to finalize the connector.

Group Connector

Group Connectors allow you to connect multiple AWS accounts at once instead of creating individual connectors — ideal for organizations managing large numbers of accounts.

Step 1. Begin Group Connector Setup

  1. Log in to the StackGuardian Platform and navigate to Connectors → Cloud Providers.
  2. Click Connect with Cloud Provider.
  3. In the connectors modal, select Connect Multiple Accounts (Preview).
  4. Choose your preferred connection method: Roles or RBAC (recommended) or Access Keys.

Step 2. Configure the Group

  1. Enter a Connector Group Name and Description (e.g., "Enterprise AWS Accounts").
  2. Provide the AWS Role ARN and External ID for the management role.
    • Ensure the External ID matches the format <org-name>:<random-string> or <org-name>-<random-string>
    • Leave Require MFA disabled
  3. Click Next (Preview).

Step 3. Select AWS Accounts

  1. In the List of Accounts in AWS Org section, use the Choose accounts dropdown to select individual accounts or click Select All.
  2. The list will include each account's Email and Account ID.
  3. Click Next (Preview).

Step 4. Configure Global Settings and Individual Accounts

  1. Under Global Settings, set the IAM Role Name and AWS Default Region — these apply to all connected accounts.
  2. Under Configure Accounts, fill in the following for each account:
    • AWS Connector Name — a brief name for the connector
    • Description — a short description of the account's purpose
    • AWS Role ARN — the role ARN for that account
    • External ID — the external ID associated with the role
    • Credential validity in seconds — the desired duration for temporary credentials
  3. Click Add All (Preview) to complete the setup.

Once created, click the Group Connector card to access and edit the configuration for any individual account within the group.