Connecting AWS
Amnify supports two methods for connecting your AWS environment:
| Method | Best for |
|---|---|
| Static Credentials | Simple setups where the IAM user has direct read access |
| Assume Role | Cross-account scanning, least-privilege setups, or when you prefer short-lived credentials |
Both methods require an IAM user with an access key. The difference is whether Amnify scans directly with that user's permissions, or uses the user to assume a role in the target account.
Method 1: Static Credentials
Use this when your IAM user has the scanning permissions attached directly.
Prerequisites
- An AWS account with permission to create IAM users
- The following values ready:
- Access Key ID — 20-character alphanumeric key (e.g.,
AKIAIOSFODNN7EXAMPLE) - Secret Access Key — the corresponding secret (minimum 40 characters)
- Access Key ID — 20-character alphanumeric key (e.g.,
Step 1: Create an IAM User
- Go to AWS Console → IAM → Users
- Click Create user
- Name it (e.g.,
amnify-scanner) - Do not enable console access — this user only needs programmatic access
Step 2: Attach Read-Only Policies
Attach the following managed policies to the user:
- In the user's Permissions tab, click Add permissions → Attach policies directly
- Search for and attach:
- SecurityAudit
- ViewOnlyAccess
tip
These two policies together provide the read-only access needed for comprehensive security scanning. Amnify does not require write access to your AWS resources.
Step 3: Create Access Keys
- In the user's Security credentials tab, click Create access key
- Select Third-party service as the use case
- Copy both the Access Key ID and Secret Access Key — the secret won't be shown again
Step 4: Add the Integration in Amnify
- Navigate to Integrations and click Create integration
- Select AWS as the provider
- Choose Static Credentials as the authentication method
- Fill in:
- Display Name (optional) — a friendly label
- Access Key ID — the 20-character key
- Secret Access Key — the secret value
- Click Next
- Toggle on the accounts you want to scan
- Click Finish
Method 2: Assume Role
Use this when you want Amnify to assume a role in the target AWS account. This is the recommended approach for production environments because:
- The scanning role uses short-lived temporary credentials
- The IAM user only needs
sts:AssumeRolepermission — no direct access to resources - You can scan accounts other than the one the IAM user lives in (cross-account)
Prerequisites
- An AWS account with permission to create IAM users and roles
- The following values ready after completing the steps below:
- Access Key ID and Secret Access Key of the IAM user
- Role ARN of the scanning role (e.g.,
arn:aws:iam::123456789012:role/AmnifyProwlerScanRole) - External ID (optional, if configured in the role's trust policy)
Step 1: Create an IAM User
- Go to AWS Console → IAM → Users
- Click Create user (e.g.,
amnify-scanner) - Do not enable console access
Step 2: Create Access Keys for the User
- In the user's Security credentials tab, click Create access key
- Copy both the Access Key ID and Secret Access Key
Step 3: Create the Scanning Role
Create an IAM role in the target AWS account that the IAM user will assume:
- Go to AWS Console → IAM → Roles → Create role
- Select Custom trust policy and use:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CALLER_ACCOUNT_ID:user/amnify-scanner"
},
"Action": "sts:AssumeRole"
}
]
}
Replace CALLER_ACCOUNT_ID with the AWS account ID where the IAM user lives.
- Name the role (e.g.,
AmnifyProwlerScanRole) - Leave Maximum session duration at the default (1 hour). If you have a very large AWS account where scans may exceed 1 hour, increase this to 2 hours (7200 seconds) or more to prevent credentials from expiring mid-scan.
External ID (optional)
To add an extra layer of security, you can require an External ID in the trust policy by adding a condition:
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-chosen-external-id"
}
}
If you add this condition, you must provide the same External ID when creating the integration in Amnify.
Step 4: Attach Scan Permissions to the Role
Attach these managed policies to the role:
- SecurityAudit
- ViewOnlyAccess
Step 5: Grant the IAM User Permission to Assume the Role
Attach an inline policy to the IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::TARGET_ACCOUNT_ID:role/AmnifyProwlerScanRole"
}
]
}
Step 6: Add the Integration in Amnify
- Navigate to Integrations and click Create integration
- Select AWS as the provider
- Choose Assume Role as the authentication method
- Fill in:
- Display Name (optional)
- Access Key ID — the IAM user's key
- Secret Access Key — the IAM user's secret
- Role ARN — the full ARN of the scanning role
- External ID — only if your trust policy requires it
- Click Next — Amnify validates by assuming the role
- Toggle on the accounts you want to scan
- Click Finish
What Happens Next
Once connected, you can:
- Run a scan against your AWS accounts
- Set up a schedule for automatic scanning
- View results on the Dashboard
- Use the connection for Deployments to provision infrastructure in the connected account
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| No accounts discovered | IAM user lacks permissions | Verify SecurityAudit policy is attached (static) or the role has it (assume role) |
| Authentication failed | Incorrect credentials | Verify Access Key ID and Secret Access Key |
| AccessDenied on AssumeRole | Trust policy mismatch | Verify the role's trust policy references the correct IAM user ARN |
| "Roles may not be assumed by root accounts" | Using root credentials | Create a dedicated IAM user — root accounts cannot assume roles |
| External ID mismatch | ExternalId in trust policy doesn't match | Ensure the External ID in Amnify matches the one in the role's Condition block |
| Session expired during scan | Scan ran longer than the role's Maximum session duration | Increase the role's Maximum session duration (e.g., to 2 hours / 7200 seconds) for large accounts |