AWS (Amazon Web Services) Integration
Connect Intruder to AWS to synchronise your targets
Updated over a week ago

Keeping track of cloud targets you want to monitor for vulnerabilities can be a bit of a pain – new instances are constantly being spun up in AWS, others are being closed down – it could easily become a full time job! 

That's why we've created an AWS integration - add your EC2 Elastic IP addresses or Amazon Route 53 hostnames as Intruder targets directly from our portal! 🎉


Connect AWS to your Intruder Account

You can connect your Intruder Account in two ways:

  1. Creating an IAM role for Intruder (AWS AssumeRole functionality)

  2. Adding a new IAM user + entering the access keys. 


Create an IAM role for Intruder

  • To get started, you'll need to log into the AWS IAM console and go to 'Roles':

  • Now click on 'Create role':

  • For the next step you'll need Intruder's AWS Account ID and an External ID, so please log into the Intruder portal > Targets page > Add target > Cloud Account Sync > AWS (middle button):

  • Copy the Account ID and External ID to a text document (or leave the Intruder portal open in a separate browser tab):

  • Now go back to the AWS - Create role screen:

    • Select 'AWS account' from the 'Trusted entity type' section.

    • Select 'Another AWS account' and enter Intruder's Account ID.

    • Tick the checkbox to 'Require external ID' and enter the value you copied from our portal into the field.

    • Finally, ensure the 'Require MFA' checkbox is not ticked and click 'Next'.

  • Now attach permission policies to the role (use the search box to find them):

  • The new role needs to be granted permissions using the following three policies
    (❗you must enable all three, or the integration won't work): 

    • 'IAMReadOnlyAccess' - Used to fetch the "account alias" of the AWS account

    • 'AmazonEC2ReadOnlyAccess' - Used to fetch EC2 Elastic IP addresses

    • 'AmazonRoute53ReadOnlyAccess' - Used to fetch Route 53 hostnames

  • Click on 'Next' > now give your role a name, for example 'intruder-integration' > click 'Create role':

  • It should now take you back to the Roles page > click on the role you just created to view its details:

  • Copy the 'Role ARN' and head back to the Cloud settings page of the Intruder portal.

  • Paste the 'Role ARN' into the text box, click Add AWS account and you're done! 💪


Add a new IAM user and enter the access keys

  • If you are connecting Intruder to your AWS account via access keys, we recommend creating a new user in your AWS account.
    When creating a new user, please ensure that Programmatic access is checked.

  • The new user will need to be granted permissions using the following AWS policies 
    (❗you must enable all three, or the integration won't work):

    • 'IAMReadOnlyAccess' - Used to fetch the "account alias" of the AWS account

    • 'AmazonEC2ReadOnlyAccess' - Used to fetch EC2 Elastic IP addresses

    • 'AmazonRoute53ReadOnlyAccess' - Used to fetch Route 53 hostnames

      Accounts with the 'AdministratorAccess' policy could also be used, but we would advise against this.

  • Once your new user account is ready you'll need to generate an access/secret key pair. AWS have a guide on how to do this, here's the main steps:

    • In the IAM console under Users, click on the new user's name

    • Select the Security credentials tab

    • Click Create access key in the Access keys section to create a key pair that consists of an Access key ID and Secret access key

    • Take a note of both keys as you will need to add them to our portal


  • Now head to the Cloud section of our settings page:

  • Paste the Access key ID and Secret access key into the appropriate fields and click on the Add AWS account button. Voila! 🎉 

If you have multiple AWS accounts, the process above can be repeated to add each account you want to protect.



The next thing you'll see is this modal 👇, for automated management of your cloud targets.

If that's not of interest and you'd like to manage them manually, skip the boxes and simply press Confirm setup.



Note: AWS integration is only available for customers on our Pro, Premium and Vanguard plans.

Did this answer your question?