AWS Integration Setup
Connect your AWS account to enable automated scanning of IAM policies, S3 configurations, security groups, CloudTrail, and 30+ AWS services.
On this page
Prerequisites
Before connecting AWS, ensure you have admin access to your AWS account and to ComplyWise. The integration uses a cross-account IAM role with least-privilege permissions. No credentials are stored directly — ComplyWise assumes the IAM role on-demand for each scan.
- AWS account with administrative access for initial setup
- ComplyWise admin role for integration configuration
- AWS CLI or Console access for IAM role creation
Creating the IAM Role
ComplyWise connects to your AWS account via an IAM role with an external ID for secure cross-account access. Navigate to Settings → Integrations → AWS in the ComplyWise dashboard to retrieve your unique External ID and the trust policy JSON. Create an IAM role in your AWS account with the provided trust policy and attach the ComplyWise-managed permission policy.
- Trust policy allows ComplyWise's AWS account to assume the role with your External ID
- Permission policy grants read-only access to configuration data — no write permissions required
- Covers IAM, S3, EC2, VPC, RDS, CloudTrail, Config, GuardDuty, KMS, and Lambda services
- Custom policies available for Enterprise customers who need to restrict scope further
Configuring the Integration
Once the IAM role is created, enter the Role ARN in the ComplyWise integration settings. The platform will perform a connectivity test by assuming the role and calling sts:GetCallerIdentity. If successful, the integration is marked as active and will be included in subsequent compliance scans.
- Enter the full IAM Role ARN (e.g., arn:aws:iam::123456789012:role/ComplyWiseReadOnly)
- Select which AWS regions to scan (default: all active regions)
- Optional: specify specific services to include or exclude
- Connectivity test verifies access before saving
What Gets Scanned
The AWS scanner evaluates configuration data across 30+ AWS services. It checks IAM policies for least-privilege adherence, S3 bucket policies for public access, security group rules for overly permissive ingress, CloudTrail configuration for logging coverage, KMS key policies, RDS encryption status, and more. Each finding is mapped to the corresponding compliance controls in your active frameworks.
- IAM: users, roles, policies, MFA status, access key age, password policy
- S3: bucket policies, encryption, public access blocks, versioning, logging
- EC2/VPC: security groups, NACLs, flow logs, EBS encryption
- CloudTrail: multi-region logging, log validation, S3 bucket configuration
- RDS: encryption at rest, public accessibility, backup configuration
- KMS: key rotation, key policies, grant management
Scan Frequency & Scheduling
By default, AWS scans run once daily at a configurable time. You can also trigger on-demand scans from the Scans page or via the API. Enterprise customers can configure real-time event-driven scanning via CloudTrail EventBridge integration, which triggers rescans within minutes of configuration changes.
- Default: daily automated scan at your configured time
- On-demand: trigger from dashboard or POST /api/scans/trigger
- Enterprise: real-time via EventBridge for near-instant compliance verification
- Scan history retained for trend analysis and audit evidence
Troubleshooting
If the connectivity test fails, verify that the IAM role's trust policy includes the correct External ID and ComplyWise account ID. Check that the permission policy is attached and covers the required services. Ensure no Service Control Policies (SCPs) in your AWS Organization are blocking sts:AssumeRole from the ComplyWise account.
- Error: Access Denied — verify trust policy and External ID match
- Error: Role not found — confirm the full ARN is entered correctly
- Partial scan results — check that required services are enabled in the target regions
- Slow scans — reduce region scope or service scope for faster completion