Documentation
How to Integrate PolicyCortex with AWS for Secure Cloud Governance
Complete guide to integrating PolicyCortex with Amazon Web Services. Establish secure, comprehensive governance coverage across all AWS accounts, regions, and services with minimal setup and maximum visibility.
AWS Integration Documentation: Quick Start & Setup Guide
Quick Setup Guide
5-Minute AWS Integration
Get PolicyCortex connected to your AWS environment quickly using our automated setup process. This creates the necessary IAM roles and permissions for comprehensive governance coverage.
Step 1: CloudFormation
Deploy our pre-built CloudFormation template to create required IAM resources
Step 2: Connect
Add the generated role ARN to PolicyCortex dashboard
Step 3: Verify
Run initial scan to confirm connectivity and coverage
Deploy CloudFormation Template
Use our pre-configured CloudFormation template to create the necessary IAM roles and policies for PolicyCortex to access your AWS resources securely.
# Download the PolicyCortex CloudFormation template
wget https://assets.policycortex.com/templates/aws-integration.yaml
# Deploy the stack with your organization identifier
aws cloudformation create-stack \
--stack-name PolicyCortex-Integration \
--template-body file://aws-integration.yaml \
--parameters ParameterKey=OrganizationId,ParameterValue=your-org-id \
ParameterKey=ExternalId,ParameterValue=generated-external-id \
--capabilities CAPABILITY_IAM
# Wait for stack creation to complete
aws cloudformation wait stack-create-complete \
--stack-name PolicyCortex-IntegrationConfigure Cross-Account Role
Set up the cross-account IAM role that allows PolicyCortex to securely access your AWS resources without requiring permanent credentials.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-unique-external-id"
},
"IpAddress": {
"aws:SourceIp": [
"52.200.0.0/16",
"34.196.0.0/16"
]
}
}
}
]
}Test and Validate Connection
Verify that PolicyCortex can successfully connect to your AWS account and has the necessary permissions to scan and monitor resources.
# Test the integration using PolicyCortex CLI
policycortex aws test-connection \
--role-arn arn:aws:iam::YOUR-ACCOUNT:role/PolicyCortexRole \
--external-id your-external-id
# Run initial discovery scan
policycortex aws scan \
--account-id YOUR-ACCOUNT-ID \
--regions us-east-1,us-west-2 \
--services ec2,s3,iam,rds \
--output json
# Verify resource discovery
policycortex aws list-resources \
--account-id YOUR-ACCOUNT-ID \
--summaryRequired Permissions
Minimum Required Permissions
PolicyCortex requires read-only access to AWS services for governance monitoring. We follow the principle of least privilege and only request permissions necessary for operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyCortexCoreAccess",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:List*",
"iam:Get*",
"s3:GetBucket*",
"s3:ListBucket*",
"s3:GetObject*",
"rds:Describe*",
"lambda:List*",
"lambda:Get*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:LookupEvents",
"config:Describe*",
"config:Get*",
"config:List*",
"logs:Describe*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"organizations:Describe*",
"organizations:List*",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "PolicyCortexTagAccess",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"resource-groups:Get*",
"resource-groups:List*"
],
"Resource": "*"
}
]
}Read-Only Access
- • No write, modify, or delete permissions
- • Configuration and metadata access only
- • Audit log reading for compliance tracking
- • Resource tagging information access
- • Cost and billing data (optional)
Security Features
- • Cross-account role with external ID
- • IP address restrictions on role assumption
- • Session duration limits and monitoring
- • CloudTrail logging of all API calls
- • Temporary security token rotation
Multi-Account Organizations
AWS Organizations Integration
For organizations using AWS Organizations, PolicyCortex can automatically discover and monitor all accounts in your organization with centralized deployment.
# StackSets deployment for organization-wide coverage
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
PolicyCortexAccountId:
Type: String
Default: '123456789012'
ExternalId:
Type: String
Description: Unique external ID for security
Resources:
PolicyCortexRole:
Type: AWS::IAM::Role
Properties:
RoleName: PolicyCortexOrganizationRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${PolicyCortexAccountId}:root'
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Policies:
- PolicyName: PolicyCortexAdditionalAccess
PolicyDocument:
Version: '2012-10-09'
Statement:
- Effect: Allow
Action:
- organizations:ListAccounts
- organizations:DescribeOrganization
- support:*
Resource: '*'
Outputs:
RoleArn:
Description: ARN of the PolicyCortex role
Value: !GetAtt PolicyCortexRole.Arn
Export:
Name: !Sub '${AWS::StackName}-PolicyCortexRoleArn'Management Account
- • Organization-level view and control
- • Consolidated billing access
- • Account creation monitoring
- • Service Control Policy visibility
- • Cross-account resource discovery
Member Accounts
- • Individual account governance
- • Resource-level policy enforcement
- • Department and team isolation
- • Environment-specific rules
- • Local compliance monitoring
Automation
- • New account auto-onboarding
- • StackSets deployment integration
- • Consistent policy application
- • Centralized role management
- • Automated compliance reporting