HERE'S WHY
Connecting Amazon Web Services (aka "AWS") to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.
BEFORE DIVING IN
Make sure you have an IAM account that has access to create new roles.
Overview of what we're going to set up
Create a new Role for Drata to gain Cross-Account Access to your AWS account.
Get the new Role ARN to input into Drata
Create a new Role
Log in to the AWS Console with an account that has access to create a new role.
Go to the IAM service, once there, click on Roles in the sidebar.
Click on the Create role button, then the Another AWS account button.
Use the following values to fill out the form
Account ID:
269135526815
5. Check the Require external ID checkbox, and enter your Drata account ID into the External ID field.
The value below is just an example... you will get your REAL account ID within the Drata app when connecting AWS.
βExternal ID:
YOUR-ACCOUNT-ID
(Note: Leave the Require MFA checkbox un-checked)
6. Click the Next: Permissions button.
7. Copy and paste the Read Only Access permission for Security Audits into the search field and press enter. Scroll to the bottom of the list and select the SecurityAudit role.
Read Only Access Permission for Security Audits:
SecurityAudit
8. Click the Next: Tags button. Optionally add tags if your company uses them.
9. Click the Next: Review button.
10. Copy and paste the fields below into the form, then click the Create role button. Ensure that the value for Role Name is copied exactly as listed below.
Role Name:
DrataAutopilotRole
Role Description:
Cross-account read-only access for Drata Autopilot
Get the new Role ARN to input into Drata
Click on the new Role you just created, named DrataAutopilotRole.
Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.
π You have just successfully setup proper read-only access for Drata π