AWS Integration

Connect your AWS accounts to Axura for comprehensive cloud security scanning. Monitor IAM, S3, EC2, RDS, Lambda, and 50+ AWS services.

8 min read

Updated: January 2026

AWS

Cloud

IAM

Security

Overview

The AWS integration scans your AWS infrastructure for security misconfigurations and compliance gaps. Axura uses read-only IAM role assumption - we never store your AWS credentials.

Scanned Services

Axura scans the following AWS services:

IAM (Users, Roles, Policies)

S3 (Buckets, Policies)

EC2 (Instances, Security Groups)

VPC (Subnets, NACLs)

RDS (Databases, Encryption)

Lambda (Functions, Permissions)

CloudTrail (Logging)

KMS (Keys, Policies)

GuardDuty (Threat Detection)

Config (Compliance Rules)

Secrets Manager

SNS/SQS

Setup Instructions

Create IAM Role

Create an IAM role that Axura will assume. Use the CloudFormation template or create manually.

Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Attach Permission Policy

Attach a policy with read-only permissions for the services you want to scan.

Permission Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "s3:GetBucket*",
        "s3:ListBucket",
        "iam:Get*",
        "iam:List*",
        "cloudtrail:Describe*",
        "config:Describe*",
        "guardduty:Get*",
        "guardduty:List*",
        "kms:Describe*",
        "rds:Describe*",
        "lambda:Get*",
        "lambda:List*"
      ],
      "Resource": "*"
    }
  ]
}

Add to Axura

In Axura, go to Settings → Integrations → Add Integration → AWS. Enter the Role ARN and External ID, then click Connect.

⚠️ Least Privilege

Our example policy includes all recommended permissions. You can reduce scope based on which services you want to scan.

Multi-Account Setup

For AWS Organizations, you can connect multiple accounts:

Use StackSets to deploy the IAM role across all accounts
Connect each account individually, or
Use organization-wide role with cross-account access

Next Steps

Google Cloud

Connect your GCP projects.

Continuous Monitoring

Set up 24/7 AWS monitoring.