Skip to content

Amazon Web Services (AWS)

The AQtive Guard (AQG) Amazon Web Services (AWS) integration provides end-to-end coverage for both Cryptography Posture Management (CPM) and AI Security Posture Management (AI-SPM) using a single agentless, least-privilege IAM role.

AQG discovers cryptographic assets and how they’re used, and performs cloud-side discovery of AI assets over the same integration.

Data ingestion overview

AQG data ingestion uses:

  • A crawler for full, multi-region scans of your AWS environment.
  • Event-driven ingestion from CloudTrail to keep CPM and AI-SPM inventories current.

Important

Scan-based ingestion always covers multiple regions. Event-based ingestion from CloudTrail requires specific configuration for multi-region support. To capture all regions, select a multi-region deployment option when you choose your deployment method.

Info

CloudTrail events are forwarded to AQG via EventBridge. To prevent an infinite loop, we filter out any events with the source IP apidestinations.events.amazonaws.com, which are generated by EventBridge forwarding activity. If CloudTrail events are not reaching AQG, refer to Troubleshooting.

CPM ingestion and data

The AWS integration for CPM:

  • Crawls all enabled AWS regions to discover cryptographic assets.
  • Ingests:
    • Certificates from AWS Certificate Manager (ACM)
    • Keys from AWS Key Management Service (KMS)
    • Secrets from AWS Secrets Manager and SSM Parameter Store
  • Populates the AQG Inventory with these objects (source: AWS).
  • Uses CloudTrail to track changes and to discover AWS services that use these assets (for example, EC2, Lambda, API Gateway).

For the full list of CPM API permissions, refer to the AWS reference for CPM.

CPM data

CPM data includes:

  • ACM certificates
  • KMS keys
  • Secrets from Secrets Manager and SSM Parameter Store
  • EC2, Lambda, API Gateway, and other AWS resources that consume these cryptographic assets

AI-SPM ingestion and data

The AWS integration for AI-SPM:

  • Crawls all enabled AWS regions to discover AI assets.
  • Analyzes the same CloudTrail stream to detect active and supported AWS AI services (for example, Bedrock and SageMaker).
  • Discovers AI assets such as Bedrock agents/models and SageMaker endpoints, and associates them with the AWS account and region.
  • Captures AI usage events and sessions from relevant CloudTrail activity and sends them to AQG.

For the full list of AI-SPM API permissions, see the AWS reference for AI-SPM.

AI-SPM data

AI-SPM data includes:

  • AI assets from AWS Bedrock (agents, models)
  • AI assets from Amazon SageMaker (endpoints and deployed models)
  • Foundational, custom, and imported models invoked via supported AWS AI services
  • AI usage events and sessions associated with these models and endpoints, which roll up into AI‑SPM Inventory, Issues, and posture reporting views

Tags

The AWS integration will automatically ingest any user-defined tags applied to your resources in AWS as tags in AQtive Guard. AWS-generated tags are not ingested. Refer to the AWS tags documentation for more information.

Setup

Before you begin

To set up the AWS integration, you’ll need the CloudFormation Template from AQG.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel, then Download CloudFormation template. You’ll need it to create the IAM role in AWS.

Choose your deployment method

Choose one of the following three methods to run the template in your AWS account:

Refer to the linked sections for details.

Single region setup

Use this method to monitor a single AWS region.

  1. Log into the AWS console.

  2. From the AWS dashboard, search for and then select CloudFormation.

  3. Select Stacks in the left navigation pane, then select Create stack:

    • If this is your first stack, select the orange Create stack button.
    • If you have existing stacks, select:
      • The Create stack button in the top-right corner.
      • With new resources (standard) from the dropdown.

  4. In the Prerequisite - Prepare template section, verify Choose an existing template is selected.

  5. In the Specify template section, select Upload a template file.

  6. Select Choose file, upload the template you downloaded from AQG, and select Next.

  7. On the Specify stack details page:

    • Enter a Stack name.

    • Enter your AQGAPIKeyParameter. If you don’t have a key, you can browse to the URL listed directly under this field in the AWS console to generate the required API token in AQtive Guard.

      The token should have at least Uploader permissions. Refer to Create an API token for instructions.

    • Select Next.

    Refer to the AWS stacks documentation for more information.

  8. At the bottom of the next page:

    • check the box I acknowledge that AWS CloudFormation might create IAM resources with customized names.
    • Select Next.

  9. Select Submit.

  10. Once the stack is created, navigate to the stack’s Resources tab and copy the Amazon Resource Name (ARN) of the created IAM role named AQtiveGuardReadOnlyAccessRole.

If events aren’t flowing after setup, refer to CloudFormation template troubleshooting.

!!!Tip You can change the name of the AQtiveGuardReadOnlyAccessRole IAM role, but the new role name must start with AQtiveGuard.

Manual multi-region setup

Use this method to monitor multiple regions without setting up additional IAM roles for orchestration.

  1. Complete the steps for the Single region setup in your first region (for example, us-east-1).
  2. Once the first stack is finished, switch regions in your AWS console (for example, us-west-2).
  3. Repeat the process for creating stacks using the same template.
  4. Continue this process for every region you wish to monitor.

Note

You only need to copy the Amazon Resource Name (ARN) from your primary region stack to finish the setup in AQG.

AWS StackSets

Use CloudFormation StackSets to deploy stacks into multiple regions simultaneously.

Configure IAM Roles for StackSets

Before uploading the template, you’ll need to first configure two specific IAM roles:

Admin role

The Admin role allows the CloudFormation service to manage your StackSets.

  1. Log in to the IAM Console.
  2. Select Roles, then Create role.
  3. For Trusted entity type, select Custom trust policy and paste the following:
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudformation.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  4. Select Next.
  5. Select the AWS managed policy AWSCloudFormationFullAccess, then select Next.
  6. Add a Role name and any required Tags, then select Create role.
  7. Locate your newly created role in the IAM Roles list and select its name to view the details.
  8. In the Permission policies section, select the Add permissions dropdown and select Create inline policy.
  9. Select the JSON tab and paste the following:
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*StackSet*",
                "iam:PassRole",
                "sts:AssumeRole"
            ],
            "Resource": "*"
        }
    ]
}
  10. Name the policy (for example, StackSetAdminInlinePolicy), then select Create policy.
Execution Role

The Execution role assumes the stack creation process in different regions.

  1. In the IAM Console, select Roles, then Create role.
  2. For Trusted entity type, select Custom trust policy and paste the following, replacing <ADMIN ROLE ARN> with the ARN of the Admin role created in admin role):
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<ADMIN ROLE ARN>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  3. Select Next.
  4. Select the AWS managed policy AdministratorAccess.
  5. Name the role AWSCloudFormationStackSetExecutionRole and select Create role.

StackSet deployment process and configuration

  1. Log into the AWS console and navigate to CloudFormation.

  2. Select StackSets, then Create stack set.

  3. Select the desired Admin and Execution roles.

  4. Upload the cloudformation-template.json file that you downloaded previously.

  5. On the Specify stack details page:

    • Enter a Stack name.

    • Enter your AQGAPIKeyParameter. If you don’t have a key, you can browse to the URL listed directly under this field in the AWS console to generate the required API token in AQtive Guard.

      The token should have at least Uploader permissions. Refer to Create an API token for instructions.

    • Select your central hub region from the PrimaryRegion dropdown.
    • Select Next.

    Refer to the AWS stacks documentation for more information.

  6. Under Execution configuration, select whichever option better suits your environment.

  7. Check the box I acknowledge that AWS CloudFormation might create IAM resources with customized names and select Next.

  8. In the Add stacks to stack set section, verify that Deploy new stacks is selected.

  9. In the Accounts area, verify that Deploy stacks in accounts is selected and add the Account number.

    You can find your 12-digit account number by selecting your account name in the top-right corner of the AWS Console, or by looking at your role’s ARN. In the ARN, it’s the numeric segment (for example, arn:aws:iam::123456789012:role/...)

  10. In the Specify regions area, select all regions you wish to monitor. You must pick at least the same region you selected earlier as the PrimaryRegion.

  11. Configure any Deployment options you want to be active. We recommend setting your Failure tolerance to 0 to catch any errors immediately.

  12. Select Next, then Submit.

If a StackSet deployment fails or events aren’t flowing, see StackSets troubleshooting.

Finish setup in AQG

You’ll need the IAM Role ARN from your AWS account.

Retrieve the ARN from AWS

  1. Log in to the AWS Management Console and select your Primary region.
  2. Navigate to CloudFormation, then select Stacks.
  3. Select the stack you created for AQtive Guard and select the Resources tab.
  4. Locate the row for AQtiveGuardReadOnlyAccessRole and select the link in the Physical ID column to open it.
  5. In the IAM console, copy the Amazon Resource Name (ARN).

Configure the data source in AQG

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel.
  3. Enter the Amazon Resource Name (ARN) for the role you copied from the IAM console.

  4. Select Submit.

    You’ll see a notification confirming that the configuration has succeeded.

Tip

You can start the ingestion right away by selecting Start now.

Use

Once the integration is configured, you can trigger an AWS data ingestion.

Start an ingestion

To start an ingestion:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.

  3. Select Start now.

    You’ll see a notification confirming that the ingestion has started.

Edit a connected AWS account

To edit a connected AWS account:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.
  3. Select Edit to make any changes you need, then Submit.

Unlink the AWS integration only if your organization needs to reconfigure or stop data sharing with AWS.

To unlink the AWS configuration:

  1. Select Data sources from the main menu, then select Details in the AWS panel.
  2. Select Edit, then Unlink.
  3. Select Confirm and unlink Amazon Web Services.