AWS

Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly.

Integration Methods

The integration create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning.

Best Practices

  1. Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access.

  2. Grant only the minimum read permissions (Firefly's provided template covers what's needed).

  3. Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere.

Integration Methods

Using CloudFormation

Firefly offers two CloudFormation integration options:

  • Single Account Integration: Use CloudFormation to integrate individual AWS accounts.

  • AWS Organization Integration: Use CloudFormation StackSet to integrate multiple accounts across your AWS Organization.

You can dowload and review the template here: https://infralight-templates-public.s3.amazonaws.com/config_template.yml

Setup Procedure

  1. Log in to AWS with permissions for CloudFormation and IAM.

  2. Copy your AWS account ID from the AWS console.

  3. In Firefly, go to Settings > Integrations.

  4. Select Add New > AWS.

  5. Select Single Account Integration CloudFormation or AWS Organization CloudFormation.

  6. Paste your AWS account ID.

  7. Select Launch Stack.

Updating StackSet Template

If you're using AWS Organization integration with CloudFormation StackSet, follow these steps to update the template:

  1. Log in to the management account AWS console.

  2. Navigate to CloudFormation > StackSets.

  3. Select firefly-readonly-stackset.

  4. Save your current configuration: Copy and save the current target OU IDs in a note for reference.

  5. Click Actions > Edit StackSet details.

Wizard Page - Step 1: Choose a template

  • Under Prerequisite - Prepare template, select Replace current template.

  • In the Amazon S3 URL field, paste: https://infralight-templates-public.s3.amazonaws.com/config_template.yml

  • Click Next.

Wizard Page - Step 2: Specify StackSet details

  • Keep all settings the same.

  • Click Next.

Wizard Page - Step 3: Configure StackSet options

  • Under Capabilities, check I acknowledge....

  • Click Next.

Wizard Page - Step 4: Set deployment options

  • Organizational units (OUs): Enter the same AWS OU IDs you saved in step 4.

  • Specify Regions: Select the same region(s) as before.

  • Deployment options:

    • Maximum concurrent accounts: Change to Percentage with value 100.

    • Concurrency mode: Select Soft failure tolerance.

  • Click Next.

  • Review and click Submit to complete the update.

AWS Discovery Status

To scan your integration for changes:

  1. Go to Settings > Integrations > AWS.

  2. Find the integration you want to scan.

  3. For assets changes, on the integration menu, select Scan Assets.

  4. For IaC stacks changes, on the integration menu, select Scan Stacks.

  5. View changes in the Inventory and/or IaC Explorer after several minutes.

PreviousIntegrating Data SourcesNextAzure

Last updated

Was this helpful?