IntegrationsAWS

Amazon Web Services (AWS)

Setup

To setup the AWS integration, navigate to the Integrations > Add integration > Amazon Web Services and click Continue.

You will be asked to create a new policy and role in your AWS account. Oneleet uses the AWS AssumeRole API to work with AWS resources — if you’d like to remove Oneleet’s access to your workspace, simply delete the created role from your AWS account.

Which permissions does Oneleet require?

Oneleet currently requests permissions from the AWS-managed SecurityAudit policy.

Which resources does Oneleet monitor?

Oneleet currently monitors the following AWS resources:

  • Accounts
  • RDS instances
  • Application and Classic load balancers
  • IAM users (both user and service accounts)
  • IAM settings
  • EC2 security groups
  • Guard Duty detectors and findings
  • DynamoDB Tables
  • SQS Queues
  • Lambda functions
  • Cloudwatch log groups
  • ECR repositories
  • S3 buckets

Ignoring AWS resources

You can prevent AWS resources from being read into Oneleet by adding the tag oneleet-ignore=true for resources which support tagging.

Common Issues

I’m seeing duplicated resources across my AWS accounts

This can occur if you’ve copied the same external ID to multiple AWS accounts. Please make sure you’ve connected a unique external ID to each account.

Updates

2025-12-08

What’s changing?

Another permissions update. Really?

We get it. And we’re fixing it: starting December 8, 2025 (2025-12-08), we will begin requesting permissions by way of the AWS-managed SecurityAudit policy, rather than a custom policy. The SecurityAudit policy is expressly designed to enable read-only access to resources that security audits might need. This means we won’t need to nickel-and-dime you for permissions updates every few months.

This update also allows us to improve the API call efficiency of our AWS monitoring, to reduce failures and retries attributable to rate limiting. While your AWS connections won’t immediately break either way, we recommend updating soon to allow us to monitor your account more reliably.

Action required

If you connected AWS with Oneleet on or after December 8, 2025 (2025-12-08), then you’re already using the AWS-managed SecurityAudit policy, and no further action is required.

Otherwise, we recommend doing the following:

  1. On the Oneleet platform, go to Integrations → Amazon Web Services → Settings tab.
  2. Under Active connections, for each connection:
    1. Click Reconnect.
    2. Follow the on-screen instructions to reconnect using the CLI (recommended) or the AWS Console.

Failing connections? Changes may take some time to propagate across AWS. If you see a connection failure immediately after reconnecting, please check back in an hour or so.

2025-11-14

What’s changing?

We’re enhancing our Amazon Web Services integration to improve the scope and reliability of our monitoring. As part of this change, starting November 14, 2025 (2025-11-14), we will require the following additional permissions on your IAM role for Oneleet:

  • guardduty:ListDetectors
  • guardduty:ListFindings
  • guardduty:GetDetector
  • guardduty:GetFindings

These additions allow us to better monitor details of your AWS configuration by allowing us to ensure that Guard Duty is enabled and that Guard Duty Findings are remediated.

Action required

If you connected AWS with Oneleet on or after November 14, 2025 (2025-11-14), then you’ve already granted these permissions, and no further action is required.

Otherwise, update the permissions on your IAM role for Oneleet as soon as possible to maintain full functionality. You have two options:

Option 1: Update your IAM role for Oneleet

If you choose this method, changes will take effect immediately, and no reconnection is required.

  1. Sign in to your AWS Console.

  2. Navigate to IAM > Roles > your-oneleet-role-name.

  3. Add the new required permissions:

    "guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetDetector",
"guardduty:GetFindings",

Repeat this for any additional AWS connections you have.

Option 2: Reconnect AWS
  1. On the Oneleet platform, go to Integrations → Amazon Web Services → “Settings” tab.
  2. Under Active connections, find your connection, and click Reconnect.
  3. Follow the on-screen instructions to reconnect AWS using the CLI (recommended) or manually in the AWS Console.

Repeat this for any additional AWS connections you have.

2025-07-10

What’s changing?

We’re enhancing our Amazon Web Services integration to improve the scope and reliability of our monitoring. As part of this change, starting July 17, 2025 (2025-07-17), we will require the following additional permissions on your IAM role for Oneleet:

  • ec2:DescribeInstances - Monitor EC2 instance configuration details
  • elasticloadbalancing:DescribeRules - Monitor Elastic Load Balancing rules and forwarding
  • elasticfilesystem:DescribeFileSystems - Monitor Elastic File System configuration
  • iam:ListServerCertificates - Monitor server certs for expiration, encryption and configuration
  • s3:GetBucketPublicAccessBlock - Monitor S3 public access configuration

These additions allow us to better monitor details of your AWS configuration.

Action required

If you connected AWS with Oneleet on or after June 11, 2025 (2025-06-11), then you’ve already granted these permissions, and no further action is required.

Otherwise, update the permissions on your IAM role for Oneleet as soon as possible to maintain full functionality. You have two options:

Option 1 (recommended): Update your IAM role for Oneleet

If you choose this method, changes will take effect immediately, and no reconnection is required.

  1. Sign in to your AWS Console.

  2. Navigate to IAM > Roles > your-oneleet-role-name.

  3. Add the new required permissions:

    "ec2:DescribeInstances",
"elasticloadbalancing:DescribeRules",
"elasticfilesystem:DescribeFileSystems",
"iam:ListServerCertificates",
"s3:GetBucketPublicAccessBlock"

Repeat this for any additional AWS connections you have.

Option 2: Recreate your AWS connection
  1. On the Oneleet platform, go to Integrations → Amazon Web Services → “Settings” tab.
  2. Under Active connections, find your connection and remove it. Do not remove the entire integration.
  3. Add a new AWS connection by following the on-screen instructions.

Repeat this for any additional AWS connections you have.

Login troubleshootingAzure