Skip to main content

AWS 'account' integration

Connect Intruder to AWS to synchronise your targets

Written by Patrick Craston

ℹ️ Note: Our AWS account integration — available on Cloud, Pro, Enterprise and Vanguard plans — automatically imports EC2 Elastic IP addresses and Amazon Route 53 A records.

There are three places from which you can add your AWS account in the portal:

1a. From the Targets page, click '+Add target' > 'Cloud environments' > 'AWS':

⬇️

1b. From the Integrations page, click '+ Add', under AWS:

1c. From the Discovery page, click the yellow '+ Add asset' button > 'AWS':

2. Then, select 'Add account' when presented with the following modal:

There are then three methods for integrating Intruder with AWS:

  1. Upload the CloudFormation template

  2. Create an IAM role for Intruder from scratch

  3. Add a new IAM user and enter the access keys

Upload the CloudFormation template

⚠️ Important: To mitigate potential integration issues, please do not modify the CloudFormation template.

  1. Log into the Intruder portal and navigate to 'Targets page > + Add target > Cloud environments > AWS > Add account':

    ⬇️

    ⬇️

  2. Click 'Download Cloudformation template':

  3. Create a CloudFormation, select the following options during Step 1, and then click 'Next':

    • Prerequisite - 'Choose an existing template'

    • Specify template - 'Upload a template file'

    • Upload a template file - 'Choose file' > intruder_cloudformation_stackset.json

  4. Enter a name for the stack in Step 2 and click 'Next':

  5. Acknowledge that AWS CloudFormation might create IAM resources with custom names in Step 3, and click 'Next':

  6. Click 'Submit' on Step 4:

  7. Navigate to 'Outputs' and copy the roleARN value:

  8. Enter the value into the 'Role ARN' field in Intruder, and click 'Add asset':

  9. Configure your cloud connector settings:


    ⬇️

  10. Click 'Confirm' and you're done! 💪​

Create an IAM role for Intruder

💡Tip:

  • We have outlined the instructions required to set up the correct permissions for your IAM Role in the video below:

Watch the video

  1. Log in to the AWS IAM console and go to 'Roles':

  2. Now click on 'Create role':

  3. For the next step, you'll need Intruder's AWS Account ID and External ID.
    Log in to the Intruder portal > Targets page > + Add target > Cloud environments > AWS > Add account:

    ⬇️

    ⬇️


    ⬇️

  4. Copy the Account ID and External ID to a text document (or leave the Intruder portal open in a separate browser tab):

  5. Now go back to the AWS - Create role screen:

    • Select 'AWS account' from the 'Trusted entity type' section.

    • Select 'Another AWS account' and enter the Account ID from the Intruder platform.

    • Tick the checkbox to 'Require external ID' and enter the value you copied from our portal into the field.

    • Finally, ensure the 'Require MFA' checkbox is not ticked and click 'Next'

  6. Attach permission policies to the role (use the search box to find them):


    The new role needs to be granted permissions using the following three policies:

    (❗ You must enable all three, or the integration won't work. Please check the other pages if they don't appear at the top of the search results.)

    • ReadOnlyAccess - Provides read-only access to AWS services and resources.

    • SecurityAudit - Grants access to read security configuration metadata.

    • AmazonBedrockReadOnly - Provides read-only access to Amazon Bedrock for Bedrock-related security checks.


    💡 ReadOnlyAccess and SecurityAudit provide the permissions needed for the majority of their security scanning checks across various AWS services. AmazonBedrockReadOnly is needed for Bedrock-related security checks.

  7. Click on 'Next' > now give your role a name, for example 'intruder-integration' > click 'Create role':

  8. It should now take you back to the Roles page > click on the role you just created to view its details:

    Copy the 'Role ARN' and head back to the Cloud settings page of the Intruder portal.

  9. Paste the 'Role ARN' into the text box, click 'Add asset':

  10. Configure your cloud connector settings:


    ⬇️

  11. Click 'Confirm' and you're done! 💪​


Automatic detection of APIs

If you have created an IAM Role, there are additional steps you can follow that will allow us to automatically detect APIs in your cloud account.

(Integrations with access keys don't require any additional steps).

Add a new IAM user and enter the access keys

Here is a link to the AWS help docs for creating an IAM User

  1. If you are connecting Intruder to your AWS account via access keys, we recommend creating a new user in your AWS account.

    When creating a new user, please ensure that Programmatic access is checked.

  2. The new user will need to be granted permissions using the following AWS policies:

    • ReadOnlyAccess

    • SecurityAudit

    • AmazonBedrockReadOnly

    (❗You must enable all three, or the integration won't work. Please check the other pages if they don't appear at the top of the search results.)

    Accounts with the 'AdministratorAccess'Policy could also be used, but we would advise against this.

  3. Once your new user account is ready, you'll need to generate an access/secret key pair. AWS has a guide on how to do this, but here are the main steps:

    • In the IAM console under Users, click on the new user's name

    • Select the Security credentials tab

    • Click Create access key in the Access keys section to create a key pair that consists of an Access key ID and Secret access key

    • Take note of both keys, as you will need to add them to our portal

  4. Now, head to the Cloud section of our settings page > paste the Access key ID and Secret access key into the appropriate fields and click on the 'Add asset' button:
    ​​

  5. Configure your cloud connector settings:


    ⬇️

  6. Click 'Confirm' and you're done! 💪​

If you have multiple AWS accounts, the process above can be repeated to add each account you want to protect.

Cloud Connector Settings

Run cloud security scans — Scans your cloud account for security risks and misconfigurations at the account level. This does not consume licenses, so you can leave it on without affecting your license count.

Add cloud assets as targets (Cloud sync) — Lets you specify which assets are added to Intruder as targets. Targets are scanned for vulnerabilities upon import, and any target found active will consume a license.

Import AWS tags — Replicates your existing AWS tags inside Intruder so you can organize targets and scans using the same labels you already use in AWS.

Automatically assign tags — Applies tags you choose to imported assets. If asset sync is enabled, these tags are also applied to new targets as they're added.

Asset sync settings

  • Sync all assets — automatically adds assets to Intruder as targets

  • Manual sync assets — add assets to Intruder as targets one at a time

  • Selective sync — add assets as targets automatically based on rules

Auto-scan new targets — Automatically scans for vulnerabilities whenever a new target is added. Leave this on if you want continuous coverage of newly discovered assets without manually triggering scans.

Related Articles
Google Cloud Platform (GCP) Integration
Microsoft Azure Integration
🎥 Video: How to add your AWS account to Intruder
Discovery: AWS API targets
Cloud Security Scans on Google Cloud
Did this answer your question?