Integrations
AWS
Overview

Amazon Web Services (AWS)

Setup

To setup the AWS integration, navigate to the Integrations > Add integration > Amazon Web Services and click Continue.

You will be asked to create a new policy and role in your AWS account. Oneleet uses the AWS AssumeRole (opens in a new tab) API to work with AWS resources — if you’d like to remove Oneleet’s access to your workspace, simply delete the created role from your AWS account.

Which permissions does Oneleet require?

Oneleet currently requests the following read-only permissions within AWS:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OneleetAssumeRolePolicy",
      "Effect": "Allow",
      "Action": [
        "account:ListRegions",
        "cloudtrail:LookupEvents",
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:DescribeAlarms",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:DescribeSecurityGroups",
        "ecr:DescribeImages",
        "ecr:DescribeRegistry",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:ListTagsForResource",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "iam:GetAccountPasswordPolicy",
        "iam:GetLoginProfile",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "inspector:DescribeFindings",
        "inspector:ListFindings",
        "inspector2:GetFindingsReportStatus",
        "inspector2:ListCoverage",
        "inspector2:ListCoverageStatistics",
        "inspector2:ListFindingAggregations",
        "inspector2:ListFindings",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "logs:DescribeLogGroups",
        "rds:DescribeDBInstances",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:ListAllMyBuckets",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ListQueueTags"
      ],
      "Resource": "*"
    }
  ]
}

Which resources does Oneleet monitor?

Oneleet currently monitors the following AWS resources:

  • Accounts
  • RDS instances
  • Application and Classic load balancers
  • IAM users (both user and service accounts)
  • IAM settings
  • EC2 security groups
  • DynamoDB Tables
  • SQS Queues
  • Lambda functions
  • Cloudwatch log groups
  • ECR repositories
  • S3 buckets

Ignoring AWS resources

You can prevent AWS resources from being read into Oneleet by adding the tag oneleet-ignore=true for resources which support tagging.

Common Issues

I'm seeing duplicated resources across my AWS accounts

This can occur if you’ve copied the same external ID to multiple AWS accounts. Please make sure you’ve connected a unique external ID to each account.