AWS EC2 Integration

One of the benefits of App Infrastructure Protection (AIP) is the ability to integrate with an Amazon Web Service (AWS) profile. Through this integration, the user can see exactly what instances are protected and which are not. When the profile is activated, an initial traversal of the environment is run to establish a baseline. We then continually scan for any instance creation or termination so the AIP Cloud Security PlatformⓇ (CSP) will always reflect the current state of your infrastructure.

The process involves an exchange of information between AIP and AWS. AIP utilizes “read-only” access role, scoped to EC2, that’s completely under your control.


If you want to integrate with more than one Amazon Web Service account, please review AWS Integrations Overview.


  • Administrator access to your Amazon Web Service (AWS) account
  • Access to the AIP Console


Use side-by-side browser windows – one for AWS and one for AIP – to complete these instructions.

1. Begin AWS Integration
  1. Log into the AWS console as an administrator.
  2. Navigate to the Security, Identity, & Compliance section.
  3. Click the link for the IAM service.


  4. In the left navigation pane of the IAM Dashboard, click Roles.


  5. The Roles page displays. Click the Create role button.


Continue to the next section.

2. Create IAM Role
  1. From the Create role page, select the entity to which your role will be associated.
    • For this integration, click the Another AWS Account button.


  2. In the Account ID field, copy and paste the Account ID value from your AIP account.
    1. Open a new browser window and log into AIP.
    2. In the left navigation pane, click Settings. The Settings page displays.
    3. Click the Integrations tab. The AWS Integrations page displays.
    4. Click the + Add AWS Integration button.
    5. The + Add AWS Integration dialog displays, listing your Account ID and External ID.


      Do not close this dialog until the role creation is complete. The External ID is uniquely generated. It must match the value entered during the AWS role creation. If you click the close button, a new External ID is generated.


  3. In the Options section, select the Require external ID (Best practice when a third party will assume this role) checkbox. An additional field displays.


  4. In the External ID field, copy and paste the External ID value from the AIP + Add AWS Integration dialog as shown in step 2e.


  5. Click the Next: Permissions button. The Attach permissions policies page displays.
  6. Select the AmazonEC2ReadOnlyAccess checkbox. Click the Next: Tags button.
  7. The Add tags (optional) page displays. Click the Next: Review button.


  8. The Review page displays. In the Role name field, type a role name. This is the name of the IAM role the AIP AWS Account will use to authenticate in AWS.



    AWS does not allow spaces in a role name.

  9. Click the Create role button. The new AIP-specific IAM role creates. The Roles page displays.


  10. In the Search field, type the name of the IAM for the role you created in step 8, and press ENTER.
  11. Select the IAM role. The Summary page displays.


  12. Copy the Role ARN.

Continue to the next section.

3. Integrate with AIP Cloud Security PlatformⓇ

Completing the AIP AWS Profile allows AIP to authenticate in AWS using the AIP-specific AWS IAM role.

  1. In the AIP browser window, on the + Add AWS Integration page, paste the copied Role ARN in the Role ARN field.


  2. In the Description field, type a description of the AIP AWS role that identifies how the bucket relates to the AWS account, such as "production."
  3. In the EC2 Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
  4. Verify the information entered and selected on the page is accurate.
  5. Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. A “Profile Added Successfully” message displays and the new AWS profile displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the profile is authenticating with AWS. This process may take several minutes.


4. Confirm Successful AIP Integration with AWS
  1. Log into AIP.
  2. In the left navigation pane, click Settings. The Settings page displays.
  3. Click the Integrations tab. The AWS Integrations page displays.
  4. In the EC2 Correlation Status column for the AWS profile, a green checkmark displays. That checkmark confirms that AIP successfully authenticated in AWS using the IAM role created for AWS.


Was this article helpful?
0 out of 0 found this helpful