# AWS

Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly.

## Integration Methods

The integration create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning.

## Best Practices

1. Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access.
2. Grant only the minimum read permissions (Firefly's provided template covers what's needed).
3. Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere.

## Integration Methods

### Using CloudFormation

Firefly offers two CloudFormation integration options:

* **Single Account Integration**: Use CloudFormation to integrate individual AWS accounts.
* **AWS Organization Integration**: Use CloudFormation StackSet to integrate multiple accounts across your AWS Organization.

You can dowload and review the template here: <https://infralight-templates-public.s3.amazonaws.com/config\\_template.yml>

#### Setup Procedure

1. Log in to AWS with permissions for CloudFormation and IAM.
2. Copy your AWS account ID from the AWS console.
3. In Firefly, go to **Settings > Integrations**.
4. Select **Add New > AWS**.
5. Select **Single Account Integration CloudFormation** or **AWS Organization CloudFormation**.
6. Paste your AWS account ID.
7. Select **Launch Stack**.

## Updating StackSet Template

If you're using AWS Organization integration with CloudFormation StackSet, follow these steps to update the template:

1. Log in to the management account AWS console.
2. Navigate to **CloudFormation > StackSets**.
3. Select **firefly-readonly-stackset**.
4. **Save your current configuration**: Copy and save the current target OU IDs in a note for reference.
5. Click **Actions > Edit StackSet details**.

### Wizard Page - Step 1: Choose a template

* Under **Prerequisite - Prepare template**, select **Replace current template**.
* In the **Amazon S3 URL** field, paste: `https://infralight-templates-public.s3.amazonaws.com/config_template.yml`
* Click **Next**.

### Wizard Page - Step 2: Specify StackSet details

* Keep all settings the same.
* Click **Next**.

### Wizard Page - Step 3: Configure StackSet options

* Under **Capabilities**, check **I acknowledge...**.
* Click **Next**.

### Wizard Page - Step 4: Set deployment options

* **Organizational units (OUs)**: Enter the same AWS OU IDs you saved in step 4.
* **Specify Regions**: Select the same region(s) as before.
* **Deployment options**:
  * **Maximum concurrent accounts**: Change to **Percentage** with value **100**.
  * **Concurrency mode**: Select **Soft failure tolerance**.
* Click **Next**.
* Review and click **Submit** to complete the update.

## AWS Discovery Status

To scan your integration for changes:

1. Go to **Settings > Integrations > AWS**.
2. Find the integration you want to scan.
3. For assets changes, on the integration menu, select **Scan Assets**.
4. For IaC stacks changes, on the integration menu, select **Scan Stacks**.
5. View changes in the Inventory and/or IaC Explorer after several minutes.