# AWS Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly. ## Integration Methods The integration create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning. ## Best Practices 1. Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access. 2. Grant only the minimum read permissions (Firefly's provided template covers what's needed). 3. Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere. ## Integration Methods ### Using CloudFormation Firefly offers two CloudFormation integration options: * **Single Account Integration**: Use CloudFormation to integrate individual AWS accounts. * **AWS Organization Integration**: Use CloudFormation StackSet to integrate multiple accounts across your AWS Organization. You can dowload and review the template here: #### Setup Procedure 1. Log in to AWS with permissions for CloudFormation and IAM. 2. Copy your AWS account ID from the AWS console. 3. In Firefly, go to **Settings > Integrations**. 4. Select **Add New > AWS**. 5. Select **Single Account Integration CloudFormation** or **AWS Organization CloudFormation**. 6. Paste your AWS account ID. 7. Select **Launch Stack**. ## Updating StackSet Template If you're using AWS Organization integration with CloudFormation StackSet, follow these steps to update the template: 1. Log in to the management account AWS console. 2. Navigate to **CloudFormation > StackSets**. 3. Select **firefly-readonly-stackset**. 4. **Save your current configuration**: Copy and save the current target OU IDs in a note for reference. 5. Click **Actions > Edit StackSet details**. ### Wizard Page - Step 1: Choose a template * Under **Prerequisite - Prepare template**, select **Replace current template**. * In the **Amazon S3 URL** field, paste: `https://infralight-templates-public.s3.amazonaws.com/config_template.yml` * Click **Next**. ### Wizard Page - Step 2: Specify StackSet details * Keep all settings the same. * Click **Next**. ### Wizard Page - Step 3: Configure StackSet options * Under **Capabilities**, check **I acknowledge...**. * Click **Next**. ### Wizard Page - Step 4: Set deployment options * **Organizational units (OUs)**: Enter the same AWS OU IDs you saved in step 4. * **Specify Regions**: Select the same region(s) as before. * **Deployment options**: * **Maximum concurrent accounts**: Change to **Percentage** with value **100**. * **Concurrency mode**: Select **Soft failure tolerance**. * Click **Next**. * Review and click **Submit** to complete the update. ## AWS Discovery Status To scan your integration for changes: 1. Go to **Settings > Integrations > AWS**. 2. Find the integration you want to scan. 3. For assets changes, on the integration menu, select **Scan Assets**. 4. For IaC stacks changes, on the integration menu, select **Scan Stacks**. 5. View changes in the Inventory and/or IaC Explorer after several minutes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.firefly.ai/integrations/data-sources/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.