How to integrate AWS account?
Overview
This integration guide is designed for Unizo customers who want to enable AWS infrastructure monitoring for their end customers. There are two distinct workflows:
- For You - Provide AWS credentials that Unizo will use to access your end customers' AWS accounts
- For Your End Customers (Testing purpose only) - Configure AWS IAM permissions and provide Role ARN
What Unizo Accesses
Unizo requires read-only access to:
- Compute: EC2, ECS, EKS, Lambda, Fargate instances
- Storage: S3 buckets, EBS volumes, EFS file systems
- Network: VPCs, security groups, load balancers
- Containers: ECR repositories, images, and scan results
- Identity: IAM roles, policies, users (read-only)
Part 1: For You - Provide AWS Credentials
What You Need to Provide
You need to collect and enter the following credentials into your Unizo Console:
| Field | Description | Example |
|---|---|---|
| Account ID | Your AWS account ID for Unizo access | 920671455217 |
| Access Key | AWS access key for programmatic access | AKIAIOSFODNN7EXAMPLE |
| Secret Key | AWS secret access key for authentication | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| External ID | Unique identifier for secure cross-account access | df42d5f2-4ea6-46c7-881c-949eba5007ec |
Steps to Obtain These Credentials
-
Get Your AWS Account ID
- Sign in to the AWS Management Console
- Copy your 12-digit Account ID from the top-right corner
-
Create Access Key and Secret Key
a. Create IAM Policy for AssumeRole
- Navigate to IAM → Policies
- Click Create policy
- Select the JSON tab
- Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}- Click Next
- Set policy name:
UnizoAssumeRolePolicy - Add description:
Allows Unizo to assume roles for cross-account access - Click Create policy
b. Create IAM User
- Navigate to IAM → Users
- Click Create user
- Set username:
UnizoIntegrationUser - Select Programmatic access (no console access needed)
- Click Next
c. Attach Policy to User
- Select Attach existing policies directly
- Search for
UnizoAssumeRolePolicy - Check the policy and click Next
- Review and click Create user
d. Generate Access Keys
- Click on the created user
UnizoIntegrationUser - Go to Security credentials tab
- Click Create access key
- Select Application running outside AWS
- Click Create access key
- Copy and save both the Access Key ID and Secret Access Key securely
-
Generate External ID
- Use a one-time External ID:
df42d5f2-4ea6-46c7-881c-949eba5007ec - Generate using a UUID generator if you need a different one
- Use a one-time External ID:
-
Enter Credentials in Unizo Console
- Navigate to Connectors → Public Cloud (Infra) → Amazon Web Services
- Click Configure to enable
- Enter the credentials collected above
Part 2: For Your End Customers - Configure AWS IAM
Your end customers need to configure their AWS accounts to grant your application (via Unizo) secure access to their infrastructure. Provide them with the following instructions:
Prerequisites
- AWS account with administrative access
- Permissions to create IAM policies and roles
Step 1: Create a read-only infrastructure policy for Unizo
Click here to log in to the AWS Management Console with the IAM service and navigate to the Policies page.
- Sign in to the AWS Management Console
- Navigate to IAM → Policies
- Click Create policy
- Select the JSON tab
- Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnizoComputeAccess",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"lambda:Get*",
"lambda:List*",
"autoscaling:Describe*"
],
"Resource": "*"
},
{
"Sid": "UnizoStorageAccess",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"fsx:DescribeBackups",
"fsx:DescribeVolumes"
],
"Resource": "*"
},
{
"Sid": "UnizoNetworkAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNatGateways",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:Describe*",
"route53:Get*",
"route53:List*"
],
"Resource": "*"
},
{
"Sid": "UnizoContainerAccess",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "UnizoIdentityAccess",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "UnizoResourceExplorerAccess",
"Effect": "Allow",
"Action": [
"resource-explorer-2:Search",
"resource-explorer-2:GetView",
"resource-explorer-2:ListViews",
"resource-explorer-2:ListIndexes"
],
"Resource": "*"
},
{
"Sid": "UnizoAuditAccess",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Describe*",
"config:Get*",
"config:List*"
],
"Resource": "*"
},
{
"Sid": "UnizoTagAccess",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues"
],
"Resource": "*"
}
]
}
- Choose to review the policy
- Set
[YOUR_COMPANY_NAME]InfrastructureDiscoveryPolicyas the Name - Set
Provides [YOUR_COMPANY_NAME] with read-only access to AWS infrastructure for monitoring and securityas the Description - Choose to create the policy
Security Best Practices
- This policy follows the principle of least privilege
- All permissions are read-only except for Resource Explorer search operations
- No write, delete, or administrative permissions are granted
- Feel free to override permissions based on your specific use cases and security requirements
Step 2: Create a role to implement the policy
From the AWS Management Console again, navigate to the Roles page.
- Create a new role
- Select AWS service as the trusted entity and EC2 as the service for this role
- Choose to go next with permissions
- Check the policy
[YOUR_COMPANY_NAME]InfrastructureDiscoveryPolicyfrom the list - Choose to go next with tags and review
- Set
[YOUR_COMPANY_NAME]InfrastructureRoleas the Name - Set
Allows [YOUR_COMPANY_NAME] to monitor AWS infrastructure on your behalfas the Description - Choose to create the role
Step 3: Configure trust relationship for secure access
Again from the Roles page, find and click the [YOUR_COMPANY_NAME]InfrastructureRole to enter the role configurations.
- Select the Trust relationships tab
- Edit trust relationship
- Delete all of the data and replace with the following (replace
[YOUR_AWS_ACCOUNT_ID],[YOUR_AWS_USER_USERNAME]and[EXTERNAL_ID]with values provided by your application vendor):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[YOUR_AWS_ACCOUNT_ID]:user/[YOUR_AWS_USER_USERNAME]"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "[EXTERNAL_ID]"
}
}
}
]
}
- Update the trust policy
Step 4: Use the Role ARN to integrate with your application
Allow a few minutes for AWS to update the role.
-
From AWS, copy the Role ARN key that appears at the top of the Summary section of the role
- Example:
arn:aws:iam::123456789012:role/[YOUR_COMPANY_NAME]InfrastructureRole
- Example:
-
Provide this Role ARN to your application vendor for integration
Integration Methods:
- Connect UI: Paste the Role ARN in the AWS integration form
- Direct API: Use the Role ARN in your API integration calls
- Application Dashboard: Enter the Role ARN in your application's AWS connector settings
What to Share
Your end customers only need to provide:
- Role ARN:
arn:aws:iam::123456789012:role/[YOUR_COMPANY_NAME]InfrastructureRole
They should NOT share Account ID, Access Keys, or Secret Keys directly.
Part 3: Security & Troubleshooting
Security Best Practices
Principle of Least Privilege
- The provided IAM policy grants only read access to necessary services
- No write, delete, or administrative permissions are included
- Cross-account access uses external ID for additional security
Regular Security Reviews
- Review IAM role usage in CloudTrail logs
- Monitor for unexpected API calls from Unizo
- Rotate external IDs periodically for enhanced security
Access Restrictions
- Consider adding IP address restrictions to the trust policy if needed
- Use AWS Config to monitor policy changes
- Enable CloudTrail for complete audit logging
Common Issues and Solutions
"Access Denied" Errors
Cause: Insufficient permissions or incorrect role configuration
Solution:
- Verify the IAM policy is attached to the correct role
- Check that the trust policy includes the correct Unizo account ID
- Ensure the external ID matches exactly
"Role Not Found" Errors
Cause: Incorrect role ARN or role doesn't exist
Solution:
- Verify the role ARN is copied correctly
- Check that the role exists in the correct AWS account
- Ensure the role name matches exactly
"Resource Explorer Not Available" Warnings
Cause: Resource Explorer not enabled in your AWS account
Solution:
- Navigate to AWS Resource Explorer in the console
- Enable Resource Explorer for your account
- Create an index in your primary region
Getting Help
If you continue to experience issues:
- Check CloudTrail logs for detailed error messages
- Contact Unizo support with your account ID and error details
- Review AWS documentation for service-specific requirements
Supported AWS Regions
Unizo supports all standard AWS regions. For optimal performance, ensure Resource Explorer is enabled in your primary region.
For additional support, contact our team at [email protected].