AWS
Last updated
Was this helpful?
Last updated
Was this helpful?
Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly.
When integrating an AWS account, you have two primary methods:
Both methods create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning.
Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access
Grant only the minimum read permissions (Firefly's provided template covers what's needed)
Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere
Consider enabling Event-Driven Mode for quick detection of drift and changes
Terraform v0.13 or later
AWS CLI installed and configured
IAM user with necessary roles
Selected AWS region(s)
To verify prerequisites, run:
In Firefly, go to Settings > Integrations
Select Add New > AWS > Terraform
Enter a descriptive name in Integration Nickname field
(Optional) Enable Event-driven mode and select region(s)
(Optional) Configure S3 Event Notifications for TF State Files
Select Next
Copy the generated details into your Terraform code file
Run:
Select Done
Log in to AWS with permissions for CloudFormation and IAM
Copy your AWS account ID from the AWS console
In Firefly, go to Settings > Integrations
Select + Add New > AWS > CloudFormation
Paste your AWS account ID
Select Launch Stack
Event-driven mode ensures near real-time updates of your assets in the inventory. To use this feature:
Enable CloudTrail in your AWS account
Select Enable IaC Auto-Discovery to scan for new Terraform state files
(Optional) Set up S3 Event Notifications for Terraform State Files
Add these lines to your module call and run terraform apply
:
Generate Firefly access and secret key (Settings > Users > Create key pair)
Copy the external ID of the Firefly IAM role from AWS console
Use the same integration nickname as in Firefly
Apply the following code:
To scan your integration for changes:
Go to Settings > Integrations > AWS
Select your integration
For asset changes:
Go to the Assets card
Select Scan now
For IaC stack changes:
Go to the Stacks card
Select Scan now
View changes in the Inventory and/or IaC Explorer after several minutes