Skip to content

AWS reference

The AQtive Guard (AQG) AWS integration uses specific API calls to discover and ingest cryptographic and AI asset data from your AWS account. This section details the AWS services AQG interacts with and the corresponding APIs it calls.

These permissions are provisioned automatically by the CloudFormation template described in Setup. For an overview of what data AQG ingests from AWS, refer to Data ingestion overview.

Note

This guide is organized into separate reference sections for Cryptography Posture Management (CPM) and AI Security Posture Management (AI‑SPM).

AWS reference for CPM

This section details the AWS services and API permissions AQG interacts with to ingest CPM data.

For details on how AQG discovers and inventories these assets, refer to CPM ingestion and data.

AWS Security Token Service (STS)

AQG uses the STS service to assume roles within your AWS account.

  • sts:GetCallerIdentity

For more information, refer to the AWS STS documentation.

AWS Key Management Service (KMS)

AQG discovers cryptographic keys and their properties from the AWS KMS service.

  • kms:ListKeys
  • kms:ListAliases
  • kms:DescribeKey
  • kms:GetKeyPolicy
  • kms:GetKeyRotationStatus

For more information, refer to the AWS KMS documentation.

AWS Certificate Manager (ACM)

For certificate discovery, AQG interacts with the ACM service.

  • acm:GetCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

For more information, refer to the AWS ACM documentation.

AWS Secrets Manager

AQG uses the following APIs to discover and inventory secrets stored in AWS Secrets Manager.

  • secretsmanager:ListSecrets
  • secretsmanager:DescribeSecret

For more information, refer to the AWS Secrets Manager documentation.

AWS Systems Manager (SSM)

AQG discovers and inventories SSM Parameters, which are treated as secrets.

  • ssm:DescribeParameters
  • ssm:ListTagsForResource

For more information, refer to the AWS SSM documentation.

AWS reference for AI-SPM

This section details the AWS services and API permissions AQG interacts with to ingest AI-SPM data.

For details on how AQG discovers and inventories these assets, refer to AI-SPM ingestion and data.

Amazon Bedrock

AQG discovers AI models, deployments, guardrails, agents, and action groups from the Amazon Bedrock service.

  • bedrock:ListProvisionedModelThroughputs
  • bedrock:GetProvisionedModelThroughput
  • bedrock:GetFoundationModel
  • bedrock:ListCustomModelDeployments
  • bedrock:GetCustomModelDeployment
  • bedrock:GetCustomModel
  • bedrock:ListImportedModels
  • bedrock:GetImportedModel
  • bedrock:GetGuardrail
  • bedrock:ListAgents
  • bedrock:GetAgent
  • bedrock:ListAgentActionGroups
  • bedrock:GetAgentActionGroup
  • bedrock:ListTagsForResource

For more information, refer to the Amazon Bedrock documentation.

Amazon SageMaker

AQG discovers AI endpoints and their deployed models from the Amazon SageMaker service.

  • sagemaker:ListEndpoints
  • sagemaker:DescribeEndpoint
  • sagemaker:DescribeEndpointConfig
  • sagemaker:DescribeModel
  • sagemaker:ListTags

For more information, refer to the Amazon SageMaker AI documentation.

Amazon Lex V2

AQG discovers conversational AI bots from the Amazon Lex V2 service.

  • lexv2:ListBots
  • lexv2:DescribeBot
  • lexv2:ListBotLocales
  • lexv2:ListIntents
  • lexv2:ListTagsForResource

For more information, refer to the Amazon Lex V2 documentation.