How to integrate AWS account?
Overview
This integration guide is designed for Unizo customers who want to enable AWS infrastructure monitoring for their end customers. There are two distinct workflows:
- For You - Provide AWS credentials that Unizo will use to access your end customers' AWS accounts
- For Your End Customers (Testing purpose only) - Configure AWS IAM permissions and provide Role ARN
What Unizo Accesses
Unizo requires read-only access to:
- Compute: EC2, ECS, EKS, Lambda, Fargate instances
- Storage: S3 buckets, EBS volumes, EFS file systems
- Network: VPCs, security groups, load balancers
- Containers: ECR repositories, images, and scan results
- Identity: IAM roles, policies, users (read-only)
Part 1: For You - Provide AWS Credentials
What You Need to Provide
You need to collect and enter the following credentials into your Unizo Console:
| Field | Description | Example |
|---|---|---|
| Account ID | Your AWS account ID for Unizo access | 920671455217 |
| Access Key | AWS access key for programmatic access | AKIAIOSFODNN7EXAMPLE |
| Secret Key | AWS secret access key for authentication | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| External ID | Unique identifier for secure cross-account access | df42d5f2-4ea6-46c7-881c-949eba5007ec |
Steps to Obtain These Credentials
-
Get Your AWS Account ID
- Sign in to the AWS Management Console
- Copy your 12-digit Account ID from the top-right corner
-
Create Access Key and Secret Key
a. Create IAM Policy for AssumeRole
- Navigate to IAM → Policies
- Click Create policy
- Select the JSON tab
- Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}- Click Next
- Set policy name:
UnizoAssumeRolePolicy - Add description:
Allows Unizo to assume roles for cross-account access - Click Create policy
b. Create IAM User
- Navigate to IAM → Users
- Click Create user
- Set username:
UnizoIntegrationUser - Select Programmatic access (no console access needed)
- Click Next
c. Attach Policy to User
- Select Attach existing policies directly
- Search for
UnizoAssumeRolePolicy - Check the policy and click Next
- Review and click Create user
d. Generate Access Keys
- Click on the created user
UnizoIntegrationUser - Go to Security credentials tab
- Click Create access key
- Select Application running outside AWS
- Click Create access key
- Copy and save both the Access Key ID and Secret Access Key securely
-
Generate External ID
- Use a one-time External ID:
df42d5f2-4ea6-46c7-881c-949eba5007ec - Generate using a UUID generator if you need a different one
- Use a one-time External ID:
-
Enter Credentials in Unizo Console
- Navigate to Connectors → Public Cloud (Infra) → Amazon Web Services
- Click Configure to enable
- Enter the credentials collected above
Part 2: For Your End Customers - Configure AWS IAM
Your end customers need to configure their AWS accounts to grant your application (via Unizo) secure access to their infrastructure. Provide them with the following instructions:
Prerequisites
- AWS account with administrative access
- Permissions to create IAM policies and roles
Step 1: Create a read-only infrastructure policy for Unizo
Click here to log in to the AWS Management Console with the IAM service and navigate to the Policies page.
- Sign in to the AWS Management Console
- Navigate to IAM → Policies
- Click Create policy
- Select the JSON tab
- Copy and paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnizoComputeAccess",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"lambda:Get*",
"lambda:List*",
"autoscaling:Describe*"
],
"Resource": "*"
},
{
"Sid": "UnizoStorageAccess",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeMountTargets",
"fsx:DescribeFileSystems",
"fsx:DescribeBackups",
"fsx:DescribeVolumes"
],
"Resource": "*"
},
{
"Sid": "UnizoNetworkAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNatGateways",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:Describe*",
"route53:Get*",
"route53:List*"
],
"Resource": "*"
},
{
"Sid": "UnizoContainerAccess",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "UnizoIdentityAccess",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "UnizoResourceExplorerAccess",
"Effect": "Allow",
"Action": [
"resource-explorer-2:Search",
"resource-explorer-2:GetView",
"resource-explorer-2:ListViews",
"resource-explorer-2:ListIndexes"
],
"Resource": "*"
},
{
"Sid": "UnizoAuditAccess",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Describe*",
"config:Get*",
"config:List*"
],
"Resource": "*"
},
{
"Sid": "UnizoTagAccess",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues"
],
"Resource": "*"
}
]
}
- Choose to review the policy
- Set
[YOUR_COMPANY_NAME]InfrastructureDiscoveryPolicyas the Name - Set
Provides [YOUR_COMPANY_NAME] with read-only access to AWS infrastructure for monitoring and securityas the Description - Choose to create the policy
Security Best Practices
- This policy follows the principle of least privilege
- All permissions are read-only except for Resource Explorer search operations
- No write, delete, or administrative permissions are granted
- Feel free to override permissions based on your specific use cases and security requirements
Step 2: Create a role to implement the policy
From the AWS Management Console again, navigate to the Roles page.
- Create a new role
- Select AWS service as the trusted entity and EC2 as the service for this role
- Choose to go next with permissions
- Check the policy
[YOUR_COMPANY_NAME]InfrastructureDiscoveryPolicyfrom the list - Choose to go next with tags and review
- Set
[YOUR_COMPANY_NAME]InfrastructureRoleas the Name - Set
Allows [YOUR_COMPANY_NAME] to monitor AWS infrastructure on your behalfas the Description - Choose to create the role
Step 3: Configure trust relationship for secure access
Again from the Roles page, find and click the [YOUR_COMPANY_NAME]InfrastructureRole to enter the role configurations.
- Select the Trust relationships tab
- Edit trust relationship
- Delete all of the data and replace with the following (replace
[YOUR_AWS_ACCOUNT_ID],[YOUR_AWS_USER_USERNAME]and[EXTERNAL_ID]with values provided by your application vendor):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[YOUR_AWS_ACCOUNT_ID]:user/[YOUR_AWS_USER_USERNAME]"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "[EXTERNAL_ID]"
}
}
}
]
}
- Update the trust policy
Step 4: Use the Role ARN to integrate with your application
Allow a few minutes for AWS to update the role.
-
From AWS, copy the Role ARN key that appears at the top of the Summary section of the role
- Example:
arn:aws:iam::123456789012:role/[YOUR_COMPANY_NAME]InfrastructureRole
- Example:
-
Provide this Role ARN to your application vendor for integration
Integration Methods:
- Connect UI: Paste the Role ARN in the AWS integration form
- Direct API: Use the Role ARN in your API integration calls
- Application Dashboard: Enter the Role ARN in your application's AWS connector settings
What to Share
Your end customers only need to provide:
- Role ARN:
arn:aws:iam::123456789012:role/[YOUR_COMPANY_NAME]InfrastructureRole
They should NOT share Account ID, Access Keys, or Secret Keys directly.
Part 3: Security & Troubleshooting
Security Best Practices
Principle of Least Privilege
- The provided IAM policy grants only read access to necessary services
- No write, delete, or administrative permissions are included
- Cross-account access uses external ID for additional security
Regular Security Reviews
- Review IAM role usage in CloudTrail logs
- Monitor for unexpected API calls from Unizo
- Rotate external IDs periodically for enhanced security
Access Restrictions
- Consider adding IP address restrictions to the trust policy if needed
- Use AWS Config to monitor policy changes
- Enable CloudTrail for complete audit logging
Common Issues and Solutions
"Access Denied" Errors
Cause: Insufficient permissions or incorrect role configuration
Solution:
- Verify the IAM policy is attached to the correct role
- Check that the trust policy includes the correct Unizo account ID
- Ensure the external ID matches exactly
"Role Not Found" Errors
Cause: Incorrect role ARN or role doesn't exist
Solution:
- Verify the role ARN is copied correctly
- Check that the role exists in the correct AWS account
- Ensure the role name matches exactly
"Resource Explorer Not Available" Warnings
Cause: Resource Explorer not enabled in your AWS account
Solution:
- Navigate to AWS Resource Explorer in the console
- Enable Resource Explorer for your account
- Create an index in your primary region
Getting Help
If you continue to experience issues:
- Check CloudTrail logs for detailed error messages
- Contact Unizo support with your account ID and error details
- Review AWS documentation for service-specific requirements
Supported AWS Regions
Unizo supports all standard AWS regions. For optimal performance, ensure Resource Explorer is enabled in your primary region.
For additional support, contact our team at support@unizo.ai.