AWS EC2 Integration


One of the benefits of Threat Stack is the ability to integrate with an Amazon Web Service (AWS) profile. Through this integration, the user can see exactly what instances are protected and which ones are not. When the profile is activated, an initial traversal of the environment is run to establish a baseline. We then continually scan for any instance creation or termination so the Threat Stack UI will always reflect the current state of your infrastructure.

The process involves an exchange of information between Threat Stack and AWS. Threat Stack utilizes “read-only” access role, scoped to EC2 , that’s completely under your control.

Follow the steps below to get started.

If you wish to integrate with more than one Amazon Web Service please follow this FAQ.



From the AWS Console select the Identity & Access Management service from the Security & Identity section.




From the IAM Dashboard Click Roles from the menu on the left side of the page.



Click the blue "Create New Role" button which will bring you to another page where you will create the role name of your choice. This should be something descriptive of the role, ex. ThreatStack. (Note: spaces are not allowed for the role name.)

Click the blue "Next Step" button in the lower right corner of the page.


Select the radio button next to "Role for Cross-Account Access" and then click the "Select" button next to "Allows IAM users from a 3rd party AWS account to access this account"



You'll now be taken to a page that asks for an Account ID and External ID. This can be found in the Threat Stack management application.

From another browser window or tab log into the Threat Stack application and navigate to the Configuration page.

Next select the Integrations facet(button) at the top of the page. Then select the blue "+Add Profile" button on the right side of the page. 

This will bring up a new window that will display the Account ID and External ID. 


Return to the AWS Console page or tab and copy and paste the Account ID and External ID in the designated fields in the AWS console. Do NOT the select Require MFA checkbox.

Click blue "Next Step" button on lower right of page.


Next you will attach a policy 

 Click the box next to "AmazonEC2ReadOnlyAccess" and click the blue Next Step button


Highlight and copy the Role ARN and click the "Create Role" button on the lower right of the page.


Go back to the Threat Stack management application tab or page and paste the copied ARN into the appropriate field in the “Add AWS Profile” box. Add a description, if desired. Select “EC2 Agent Correlation”. Select only the regions that your EC2 instances are running in. Too many will cause trouble later.



 The user will now see the AWS profile enabled in Threat Stack.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.