VinTekh
All sources
Integration

Amazon Web Services

Connect an IAM user with at least ReadOnlyAccess +SecurityAudit. Read-only — VinTekh never writes. Phase 2 ships STS AssumeRole via Organizations for multi-account scans without long-lived keys.

Connect with IAM access key

Auth mode: IAMUser

How you'll see this source in the list.

From an IAM user with ReadOnlyAccess + SecurityAudit. Phase 2 will swap to STS AssumeRole.

Encrypted at rest with AES-GCM. Never logged.

Comma-separated. Global services (S3, IAM) are swept once per source.

Read-only by construction. VinTekh never calls a create/update/delete API.

What you'll need

Access key ID + secret for an IAM user.

ReadOnlyAccess managed policy on that user.

SecurityAudit managed policy on that user (gives Security Hub access).

Optional: organizations:ListAccounts permission for multi-account discovery via Organizations.

One-line bootstrap

Run once in AWS CloudShell

USER=vintekh-reader
aws iam create-user --user-name "$USER"
aws iam attach-user-policy --user-name "$USER" \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
aws iam attach-user-policy --user-name "$USER" \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam create-access-key --user-name "$USER"
IAM best practices

Step-by-step: connect AWS with one read-only IAM user

One IAM user with ReadOnlyAccess (or SecurityAudit + AWSSecurityHubReadOnlyAccess) powers inventory, Security Hub findings, IAM bindings and CloudTrail change events. Strictly read-only — never any *FullAccess or Administrator policy.

CollectorMinimum policyNote
Account discovery (Organizations / STS)SecurityAuditorganizations:ListAccounts (multi-account from the Org management account); degrades to single-account via sts:GetCallerIdentity.
Inventory — EC2 / security groups / RDS / S3SecurityAuditec2/rds Describe* + s3:ListAllMyBuckets. Covered by SecurityAudit or ReadOnlyAccess.
Findings — Security HubAWSSecurityHubReadOnlyAccesssecurityhub:GetFindings — NOT in SecurityAudit. Use AWSSecurityHubReadOnlyAccess (or ReadOnlyAccess). Security Hub must be enabled per region.
Identity & RBAC — IAM bindingsSecurityAuditiam:List* roles/users/policies — covered by SecurityAudit / IAMReadOnlyAccess / ReadOnlyAccess.
Change events — CloudTrail (90d Event History)SecurityAuditcloudtrail:LookupEvents — no trail required; covered by SecurityAudit / ReadOnlyAccess.
CloudWatch Logs (VPC flow-log evidence)Separate source — CloudWatchLogsReadOnlyAccessNOT this connector. Configure a separate CloudWatch source for on-demand flow-log evidence.
Where to get each value
  • Access key ID — IAM → Users → your user → Security credentials → Access keys → Create. The AKIA… value.
  • Secret access key — shown once on the same screen (or the aws iam create-access-key output). Copy immediately.
  • Regions — optional, comma-separated (blank = us-east-1). Only named regions are swept for EC2/RDS/Security Hub.
AWS Console — click-through
  1. IAM Console → Users → Create user. Name it e.g. vintekh-reader. Do NOT enable console access (programmatic use only).
  2. Attach policies directly → tick ReadOnlyAccess (covers inventory + Security Hub + IAM read + CloudTrail in one).
  3. (Least-privilege alternative) attach SecurityAudit AND AWSSecurityHubReadOnlyAccess instead — SecurityAudit alone lacks securityhub:GetFindings. Create user.
  4. Open the user → Security credentials → Access keys → Create access key → 'Application running outside AWS'. Copy the Access key ID and Secret access key NOW (the secret is shown only once).
  5. Enable Security Hub in every region you plan to scan (Security Hub Console → region → Enable). Without it, findings return empty (not an error).
  6. Back in VinTekh → Sources → AWS: paste a Display name, the Access key ID, the Secret access key, optionally a comma-separated Regions list (blank = us-east-1), then Save & start discovery.
AWS CLI / CloudShell
USER=vintekh-reader
aws iam create-user --user-name "$USER"
# Simplest — one broad read-only policy:
aws iam attach-user-policy --user-name "$USER" --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
# --- OR least-privilege (use these two INSTEAD of ReadOnlyAccess) ---
# aws iam attach-user-policy --user-name "$USER" --policy-arn arn:aws:iam::aws:policy/SecurityAudit
# aws iam attach-user-policy --user-name "$USER" --policy-arn arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess
# Mint the access key — copy AccessKeyId + SecretAccessKey from the output NOW (secret shown once):
aws iam create-access-key --user-name "$USER"
# Confirm Security Hub is on in a region you'll scan:
aws securityhub describe-hub --region us-east-1
What works read-only vs needs more
Read-only (ReadOnlyAccess / SecurityAudit)
  • Account discovery: every account in the Org (organizations:ListAccounts from the management account) or the single account behind the key.
  • Inventory across scanned regions: EC2 instances (public IP → internet exposure), security groups (0.0.0.0/0 ingress → internet), RDS (PubliclyAccessible), S3 buckets.
  • Security Hub findings (ACTIVE + WorkflowStatus NEW) per scanned region, severity-mapped, full finding JSON kept as evidence.
  • All with AWS-managed ReadOnlyAccess (or SecurityAudit + AWSSecurityHubReadOnlyAccess) on one IAM user — no write, create, delete, or data-plane access ever requested.
Requires more
  • Multi-account listing → run from the AWS Organizations management (or delegated-admin) account; from a member account VinTekh sees only that one account.
  • Security Hub findings → require Security Hub ENABLED per region AND securityhub:GetFindings (ReadOnlyAccess / AWSSecurityHubReadOnlyAccess, NOT SecurityAudit alone).
  • Regions beyond us-east-1 → must be listed explicitly in the Regions field; only named regions are swept for EC2/RDS/Security Hub.
  • CloudWatch / VPC Flow Log content → a SEPARATE CloudWatch source with CloudWatchLogsReadOnlyAccess and the specific log groups.
  • Cross-account AssumeRole (no long-lived keys) → planned; the current form only accepts an IAM access key + secret (no role-ARN field yet).
Troubleshooting
  • AccessDenied on securityhub:GetFindings / findings always empty
    Attach AWSSecurityHubReadOnlyAccess (or ReadOnlyAccess) — SecurityAudit lacks it. Confirm Security Hub is enabled in that region (aws securityhub describe-hub --region <r>).
  • Only one account discovered though you have many
    organizations:ListAccounts was denied → single-account fallback. Use a key from the Org management/delegated-admin account.
  • Resources/findings missing for a region
    The Regions field defaults to us-east-1 only. Add regions as a comma-separated list; S3/IAM/Organizations are global and swept once.
  • InvalidClientTokenId / SignatureDoesNotMatch
    The Access key ID or Secret was mistyped/truncated. The secret is shown only at creation — delete the key and create a fresh one, then re-paste both halves.
  • 'Access key ID must look like AKIA…' on the form
    You pasted an ASIA… STS temp key or a role ARN. Phase 1 requires a permanent IAM user key (AKIA + 16 chars); there's no role-ARN field yet.
  • Security Hub has findings but inventory (EC2/RDS/S3) is empty
    Missing Describe/List permissions. SecurityAudit and ReadOnlyAccess both cover them — attach one.