App·Help

Connect AWS

VinTekh reads AWS via a cross-account IAM role with read-only managed policies. No keys live in our system — we use STS AssumeRole every sync.

What you need

  • An AWS account with permissions to create IAM roles + Trust Policies.
  • Our External ID and AWS Account ID (shown on the connector setup page).
  • For multi-account: AWS Organizations Management Account access (Control Tower).

Minimum-permissions path (single account)

  1. In AWS Console → IAM → Roles → Create role (Another AWS account).
  2. Set Account ID = <our account, shown in setup>, check Require external ID and paste <our external id, shown in setup>.
  3. Attach policies: SecurityAudit + ViewOnlyAccess.
  4. Optional: also attach ReadOnlyAccess if you want deeper inventory enumeration (warning: this is >5,000 actions; SecurityAudit + ViewOnly is the safer baseline).
  5. Name the role VinTekh-Reader. Copy the role ARN.
  6. Back in VinTekh, paste the ARN and click Test connection. Successful sync writes 1 ChangeEvent row.

Multi-account path (AWS Organizations)

Deploy via the VinTekh-Reader-Stackset CloudFormation template in the Organizations Management Account. The StackSet provisions the role in every member account; VinTekh enumerates accounts via organizations:ListAccounts from the management account role.

For Control Tower customers we ship a VinTekh-Reader-CT guardrail-compatible variant that lives in the Audit OU and uses the AWSControlTowerExecution trust chain.

What we read, what we don't

Read: every Describe* / List* / Get* permitted by SecurityAudit + ViewOnlyAccess. We also read CloudTrail events for the change-event evidence trail.

We do NOT attach any policy with Create*, Put*, Update*, Delete*, Modify*, or iam:Pass*. The CI guard scripts/no-write-sdk-check.sh blocks any merge that introduces mutating SDK calls.

Troubleshooting

  • AccessDenied on AssumeRole. The Trust Policy is missing the External ID, or the wrong source account is allowed. Re-paste from VinTekh setup — values are case-sensitive.
  • Sync returns 0 resources. SecurityAudit covers enumeration but not every service. Add ReadOnlyAccess temporarily to see whether the gap is in IAM or in the service itself.
  • StackSet drift. Re-deploy from the Organizations Management Account; we'll flag the drift at /drift with severity high.
Browse docs