Skip to main content

AWS 'account' integration

Connect Intruder to AWS your AWS account to synchronise your targets

Updated over a month ago

Our AWS integration supports the automatic import of EC2 Elastic IP addresses or Amazon Route 53 domains. Any other cloud asset types will need to be added manually.

There are three places from which you can add your AWS account in the portal:

1a. From the Targets page. Click the Discovery tab and select 'Add Asset Source'

1b. From the Integrations page. Click + Add, under AWS:

1c. The Targets page by clicking the yellow + Add Targets button > Cloud asset sync:

2. You would then need to select the 'Add account' option when presented with the following modal:

There are then two methods for integrating Intruder with AWS: you can either:

  1. Create an IAM role for Intruder

  2. Add a new IAM user and enter the access keys

Create an IAM role for Intruder

We have outlined the instructions required to set up the correct permissions for your IAM Role in the video below:

Watch the video

Here's a link to the AWS help docs, should you need them.

  1. Log in to the AWS IAM console and go to 'Roles':

  2. Now click on 'Create role':

  3. For the next step, you'll need Intruder's AWS Account ID and External ID.
    Log in to the Intruder portal > Targets page > Cloud accounts > Add account > AWS and select the 'Add account' option thereafter:

  4. Copy the Account ID and External ID to a text document (or leave the Intruder portal open in a separate browser tab):

  5. Now go back to the AWS - Create role screen:

    • Select 'AWS account' from the 'Trusted entity type' section.

    • Select 'Another AWS account' and enter the Account ID from the Intruder platform.

    • Tick the checkbox to 'Require external ID' and enter the value you copied from our portal into the field.

    • Finally, ensure the 'Require MFA' checkbox is not ticked and click 'Next'

  6. Attach permission policies to the role (use the search box to find them):


    The new role needs to be granted permissions using the following three policies:

    (❗ You must enable all three, or the integration won't work)

    • ReadOnlyAccess

    • SecurityAudit

    • AmazonBedrockReadOnly

  7. Click on 'Next' > now give your role a name, for example 'intruder-integration' > click 'Create role':

  8. It should now take you back to the Roles page > click on the role you just created to view its details:

    Copy the 'Role ARN' and head back to the Cloud settings page of the Intruder portal.

  9. Paste the 'Role ARN' into the text box, click Add account and you're done! 💪

Automatic detection of APIs

If you have created an IAM Role, there are additional steps you can follow that will allow us to automatically detect APIs in your cloud account.

(Integrations with access keys don't require any additional steps).

Add a new IAM user and enter the access keys

Here is a link to the AWS help docs for creating an IAM User

  1. If you are connecting Intruder to your AWS account via access keys, we recommend creating a new user in your AWS account.

    When creating a new user, please ensure that Programmatic access is checked.

  2. The new user will need to be granted permissions using the following AWS policies:

    • ReadOnlyAccess

    • SecurityAudit

    • AmazonBedrockReadOnly

    ❗You must enable all three, or the integration won't work.❗

    Accounts with the 'AdministratorAccess'Policy could also be used, but we would advise against this.

  3. Once your new user account is ready, you'll need to generate an access/secret key pair. AWS have a guide on how to do this, but here are the main steps:

    • In the IAM console under Users, click on the new user's name

    • Select the Security credentials tab

    • Click Create access key in the Access keys section to create a key pair that consists of an Access key ID and Secret access key

    • Take note of both keys, as you will need to add them to our portal

  4. Now, head to the Cloud section of our settings page > paste the Access key ID and Secret access key into the appropriate fields and click on the Add account button. Voila! 🎉


If you have multiple AWS accounts, the process above can be repeated to add each account you want to protect.


The next thing you'll see is this modal 👇, for automated management of your cloud targets.

  • You can read more about Cloud Sync here, but to summarise, you can enable automatic syncing and scanning of your assets, as well as options to import and assign tags automatically.

  • You will also be presented with the option to run Cloud Security scans, which you can read more about here.

User-uploaded Image

If the Cloud Sync feature is not of interest, and you'd like to manage them manually, skip the boxes and simply press Confirm setup, and you'll see this prompt:

Note: The AWS integration is only available for customers on our Cloud, Pro, Enterprise, and Vanguard plans.

Related Articles
GCP (Google Cloud Platform) integration
🎥 Video: How to add your AWS account to Intruder
Discovery: AWS API targets
Cloud integrations
Cloud Security Scans on AWS
Did this answer your question?