IntegrationsAWS

Amazon Web Services (AWS)

Setup

To setup the AWS integration, navigate to the Integrations > Add integration > Amazon Web Services and click Continue.

You will be asked to create a new policy and role in your AWS account. Oneleet uses the AWS AssumeRole API to work with AWS resources — if you’d like to remove Oneleet’s access to your workspace, simply delete the created role from your AWS account.

Which permissions does Oneleet require?

Oneleet currently requests the following read-only permissions within AWS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OneleetAssumeRolePolicy",
      "Effect": "Allow",
      "Action": [
        "account:ListRegions",
        "cloudtrail:LookupEvents",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DescribeAlarmsForMetric",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:DescribeInstances",
        "ec2:DescribeSecurityGroups",
        "ecr:DescribeImages",
        "ecr:DescribeRegistry",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:ListTagsForResource",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticfilesystem:DescribeFileSystems",
        "iam:GetAccountPasswordPolicy",
        "iam:GetLoginProfile",
        "iam:ListMFADevices",
        "iam:ListServerCertificates",
        "iam:ListUsers",
        "inspector:DescribeFindings",
        "inspector:ListFindings",
        "inspector2:GetFindingsReportStatus",
        "inspector2:ListCoverage",
        "inspector2:ListCoverageStatistics",
        "inspector2:ListFindingAggregations",
        "inspector2:ListFindings",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "logs:DescribeLogGroups",
        "logs:ListTagsForResource",
        "rds:DescribeDBInstances",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:ListAllMyBuckets",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ListQueueTags"
      ],
      "Resource": "*"
    }
  ]
}

Which resources does Oneleet monitor?

Oneleet currently monitors the following AWS resources:

  • Accounts
  • RDS instances
  • Application and Classic load balancers
  • IAM users (both user and service accounts)
  • IAM settings
  • EC2 security groups
  • DynamoDB Tables
  • SQS Queues
  • Lambda functions
  • Cloudwatch log groups
  • ECR repositories
  • S3 buckets

Ignoring AWS resources

You can prevent AWS resources from being read into Oneleet by adding the tag oneleet-ignore=true for resources which support tagging.

Common Issues

I’m seeing duplicated resources across my AWS accounts

This can occur if you’ve copied the same external ID to multiple AWS accounts. Please make sure you’ve connected a unique external ID to each account.

Updates

2025-07-10

What’s changing?

We’re enhancing our Amazon Web Services integration to improve the scope and reliability of our monitoring. As part of this change, starting July 17, 2025 (2025-07-17), we will require the following additional permissions on your IAM role for Oneleet:

  • ec2:DescribeInstances - Monitor EC2 instance configuration details
  • elasticloadbalancing:DescribeRules - Monitor Elastic Load Balancing rules and forwarding
  • elasticfilesystem:DescribeFileSystems - Monitor Elastic File System configuration
  • iam:ListServerCertificates - Monitor server certs for expiration, encryption and configuration
  • s3:GetBucketPublicAccessBlock - Monitor S3 public access configuration

These additions allow us to better monitor details of your AWS configuration.

Action required

If you connected AWS with Oneleet on or after June 11, 2025 (2025-06-11), then you’ve already granted these permissions, and no further action is required.

Otherwise, update the permissions on your IAM role for Oneleet as soon as possible to maintain full functionality. You have two options:

Option 1 (recommended): Update your IAM role for Oneleet

If you choose this method, changes will take effect immediately, and no reconnection is required.

  1. Sign in to your AWS Console.

  2. Navigate to IAM > Roles > your-oneleet-role-name.

  3. Add the new required permissions:

    "ec2:DescribeInstances",
"elasticloadbalancing:DescribeRules",
"elasticfilesystem:DescribeFileSystems",
"iam:ListServerCertificates",
"s3:GetBucketPublicAccessBlock"

Repeat this for any additional AWS connections you have.

Option 2: Recreate your AWS connection
  1. On the Oneleet platform, go to Integrations → Amazon Web Services → “Settings” tab.
  2. Under Active connections, find your connection and remove it. Do not remove the entire integration.
  3. Add a new AWS connection by following the on-screen instructions.

Repeat this for any additional AWS connections you have.

Login troubleshootingAzure