Skip to main content
All CollectionsConnectionsProvider
AWS (Amazon Web Services) Connection
AWS (Amazon Web Services) Connection

This article walks through the details of configuring AWS to connect to Drata.

Updated this week

Connecting Amazon Web Services (aka "AWS") to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.

Prerequisites

  • AWS Account Access:

    • You must have sufficient permissions to create new roles in your company's AWS account. Typically, this requires admin access or appropriate IAM permissions to create and manage roles.

  • Service Control Policies (SCP) with region restrictions:

    • If the AWS account you are connecting to has a Service Control Policy (SCP) with region restrictions, be prepared to configure the allowed region details for the connection to avoid test errors.

Access AWS connection within Drata

  1. Go to Drata.

  2. Select Connections on the side navigation menu.

  3. Select the Available connections tab and then search for and select 'AWS'.

  4. On the AWS connection drawer, follow the instructions to setup the connection, enter the Role ARN, and select the Allowed Regions options. Learn more about these configurations in the following section.

Tips: Use the copy button to quickly copy the long important strings of characters.

Create and enter the role ARN into Drata

In the following steps, learn how to create a role and attach a policy to that role with defined permissions. This role will enable Drata to perform read-only audits of your AWS infrastructure for compliance purposes.

Create the role:

  1. Log in to the AWS Console with an account that has access to create a new role.

  2. Navigate to the IAM service.

  3. Select the Roles in the sidebar.

  4. Select the Create role button, then the Another AWS account button.

  5. Use the following values to fill out the form:

    • Account ID: 269135526815

    • Require external ID: Check this box and enter the Drata External ID (found in the AWS connection drawer in Drata) in the External ID field.

    • Note: Do not check the Require MFA checkbox.

  6. Select the Next: Permissions button.

  7. In the Attach permissions policies section, search for SecurityAudit (this provides the Read Only Access permissions for Security Audits). Scroll and select the SecurityAudit.

  8. Select the Next: Tags button. Optionally add tags if your company uses them.

  9. Select the Next: Review button.

  10. Copy and paste the fields below into the form, then select the Create role button. Ensure that the value for Role Name is copied exactly as listed below.

    • Role Name: DrataAutopilotRole

    • Role Description: Cross-account read-only access for Drata Autopilot

Enter the role into Drata:

  1. Select the role you just created. The role should be named DrataAutopilotRole.

  2. Copy the Role ARN from the role's summary page.

    • You will paste this into Role ARN field on Drata.


Configure allowed region for SCP

If the AWS account you are connecting to has a Service Control Policy (SCP) with region restrictions:

  1. Within the Drata's AWS connection drawer, select Specific regions under Allowed regions

  2. Then, choose the appropriate regions.

If it does not have restrictions, you can select All active regions.

Verify SCP Region Restrictions for the Account

You can verify the appropriate regions through the AWS console:

  1. Navigate to the AWS Console.

  2. In the services menu, search for and select Organizations.

  3. In the Accounts section, find and select the account you are connecting to Drata.

  4. Under the account details, go to the Policies tab and search for the Service Control Policies (SCPs) section to view all policies attached to the account.

  5. Select each SCP to view its policy document and view the Condition element that specifies aws:RequestedRegion.

  6. In the array, you will find a list of all the allowed regions. Select those regions in the AWS connection drawer in Drata.

Alternatively, you can use the AWS CLI to find these details:

  1. List the policies attached to the account:

    • aws organizations list-policies-for-target --target-id <account-id> --filter SERVICE_CONTROL_POLICY
  2. By using the PolicyId from the previous command, get the details of each policy.

    • aws organizations describe-policy --policy-id <policy-id>
  3. In the output, inspect the Condition elements for aws:RequestedRegion to find a list of the allowed regions.


πŸŽ‰ You have just successfully setup proper read-only access for Drata πŸŽ‰


Monitoring tests covered

  • Test 4: SSL/TLS on Admin Page of Infrastructure Console

  • Test 30: Availability Zones Used

  • Test 68: Customer Data is Encrypted at Rest

  • Test 69: Customer Data in Cloud Storage is Encrypted at Rest

  • Test 88: MFA on Infrastructure Console

  • Test 95: Infrastructure Accounts Properly Removed

  • Test 98: Employees have Unique Infrastructure Accounts

  • Test 102: Public SSH Denied

  • Test 104: Cloud Data Storage Exposure

  • Test 105: AWS Guard Duty

  • Test 107: Daily Database Backups

  • Test 108: Storage Data Versioned or Retained

  • Test 112: Database CPU Monitored

  • Test 113: Database Free Storage Space Monitored

  • Test 114: Database Read I/O Monitored

  • Test 115: Messaging Queue Message Age Monitored

  • Test 117: NoSQL Cluster Storage Utilization Monitored

  • Test 118: Infrastructure Instance CPU Monitored

  • Test 119: Firewall Default Disallows Traffic

  • Test 122: Web Application Firewall in Place

  • Test 124: Root Infrastructure Account Unused

  • Test 130: Load Balancer Used

Did this answer your question?