Before CloudSploit can produce any security scan results, you must connect an Amazon Web Services account. This done through the use of a secure, third-party cross-account IAM role. To fully connect the account, you must complete steps in both your AWS account, as well as in your CloudSploit account.

Obtain an External ID from CloudSploit

  1. Log into CloudSploit and navigate to the "AWS Accounts" page.
  2. At the bottom, under "Add a New AWS Account" copy the External ID (note: this is automatically generated; refreshing the page will generate a new ID).
  3. Save this ID for the next steps. Do not close or refresh the page.

Create an IAM Role for CloudSploit

Option 1: Use our CloudFormation Template (Recommended)
  1. Click  to open CloudFormation in your account.
  2. Enter the external ID copied in the steps above as the input parameter.
  3. Launch the stack and wait for it to complete.
  4. Copy the role ARN from the "Outputs" tab for the next steps.
Option 2: Manually Create a Role
  1. Log into your AWS account with permissions to create a new IAM role.
  2. Navigate to the IAM console.
  3. Create a new IAM role.
  4. Select "Role for Third-Party Cross-Account Access".
  5. Enter "057012691312" for the account to trust.
  6. Enter the external ID copied in the steps above.
  7. Ensure that MFA token is not selected.
  8. Select the "SecurityAudit" managed policy.
  9. Create the role and copy the role ARN.
  10. Save this ARN for the next steps.

Add the Role to CloudSploit

  1. Back in the CloudSploit console, on the AWS Accounts page, paste the role ARN into the form.
  2. Enter a descriptive name for your account, such as "Megacorp-dev".
  3. If you are on a Plus or Premium plan and have added groups to your account, optionally select a group.
  4. Submit the form to save your account and connect it to CloudSploit.