1. Watch a quick explanation on how to connect

The scanner creates a read-only cross-account role in your account. This role uses the AWS managed SecurityAudit policy. We will be able to read the information about your configuration but cannot see or access your data.

2. Launch CloudFormation stack

This will perform the following:

  • A new cross-account role will be created in your account. Our scanner will assume this role to assess your environment.
  • The AWS Security Audit policy will be attached to the new role. This grants read-only access to the metadata of your AWS services.
3. Copy and paste the Role ARN

Once the stack is finished, you can click on the Outputs tab in the CloudFormation page and copy the new Role ARN to your clipboard.

Paste the generated Role ARN into the field below and click Connect Account.

You can manually connect your AWS account by creating a role and assigning the Security Audit policy yourself.

1. Create a New Role
  • Log in to the AWS Management Console and launch theIAM Console.
  • In the navigation pane on the left, selectRoles.
  • SelectCreate role.
  • Under Select type of trusted entity, selectAnother AWS account.
  • In the Account ID field, copy and paste the Account ID value from the KirkpatrickPrice Connect AWS Account modal.

This is the scanner Account ID. By doing this you will allow the scanner account to assume this role in your account.

  • Select theRequire external IDbox and then enter any value into theExternal IDtext field.

The scanner will be required to provide this external ID when assuming your role.

  • SelectNext: Permissions.
2. Attach the Security Audit Policy

This allows the scanner to have read-only access to perform a scan, you will need to attach the SecurityAudit policy to your new role.

  • In the search field, enter “SecurityAudit.”
  • Select theSecurityAudit policy box, then selectNext: Tags.
  • Optional: Add any desired tags to your new role, then selectNext: Review.
  • In theRole nametext field, enter any role name.

Optional: In theRole descriptiontext field, provide a description of your new role.

  • SelectCreate Role.
  • From the list of Role names, select your newly created role.
  • At the top of the page, copy theRole ARNvalue to your clipboard.
3. Enter your Credentials
  • Return to theConnect AWS Account – Manualmodal on the KirkpatrickPrice AWS Scanner site.
  • In theRole ARN text field, paste your copied Role ARN.
  • In theExternal IDtext field, enter the External ID that was assigned when creating the role.

You can find this value by selecting the role name and selecting theTrust relationshipstab. The value is listed underConditions.

  • SelectConnect Account.