> For the complete documentation index, see [llms.txt](https://docs.firefly.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.firefly.ai/integrations/data-sources/aws.md).

# AWS

Amazon Web Services (AWS) integration can be set up using either CloudFormation or Terraform. This guide covers both methods and best practices for integrating your AWS account with Firefly.

## Integration Methods

The integration create a cross-account IAM Role with read-only access (security audit permissions) to your resources. The integration may also set up an Amazon SNS notifications for tfstate files event-driven scanning.

## Best Practices

1. Use a dedicated AWS account (or at least a separate IAM role) for Firefly's access.
2. Grant only the minimum read permissions (Firefly's provided template covers what's needed).
3. Monitor the Firefly integration user/role in AWS to ensure it's not being used elsewhere.

## Integration Methods

### Using CloudFormation

Firefly offers two CloudFormation integration options:

* **Single Account Integration**: Use CloudFormation to integrate individual AWS accounts.
* **AWS Organization Integration**: Use CloudFormation StackSet to integrate multiple accounts across your AWS Organization.

You can dowload and review the template here: <https://infralight-templates-public.s3.amazonaws.com/config\\_template.yml>

#### Setup Procedure

1. Log in to AWS with permissions for CloudFormation and IAM.
2. Copy your AWS account ID from the AWS console.
3. In Firefly, go to **Settings > Integrations**.
4. Select **Add New > AWS**.
5. Select **Single Account Integration CloudFormation** or **AWS Organization CloudFormation**.
6. Paste your AWS account ID.
7. Select **Launch Stack**.

## Updating StackSet Template

If you're using AWS Organization integration with CloudFormation StackSet, follow these steps to update the template:

1. Log in to the management account AWS console.
2. Navigate to **CloudFormation > StackSets**.
3. Select **firefly-readonly-stackset**.
4. **Save your current configuration**: Copy and save the current target OU IDs in a note for reference.
5. Click **Actions > Edit StackSet details**.

### Wizard Page - Step 1: Choose a template

* Under **Prerequisite - Prepare template**, select **Replace current template**.
* In the **Amazon S3 URL** field, paste: `https://infralight-templates-public.s3.amazonaws.com/config_template.yml`
* Click **Next**.

### Wizard Page - Step 2: Specify StackSet details

* Keep all settings the same.
* Click **Next**.

### Wizard Page - Step 3: Configure StackSet options

* Under **Capabilities**, check **I acknowledge...**.
* Click **Next**.

### Wizard Page - Step 4: Set deployment options

* **Organizational units (OUs)**: Enter the same AWS OU IDs you saved in step 4.
* **Specify Regions**: Select the same region(s) as before.
* **Deployment options**:
  * **Maximum concurrent accounts**: Change to **Percentage** with value **100**.
  * **Concurrency mode**: Select **Soft failure tolerance**.
* Click **Next**.
* Review and click **Submit** to complete the update.

## AWS Discovery Status

To scan your integration for changes:

1. Go to **Settings > Integrations > AWS**.
2. Find the integration you want to scan.
3. For assets changes, on the integration menu, select **Scan Assets**.
4. For IaC stacks changes, on the integration menu, select **Scan Stacks**.
5. View changes in the Inventory and/or IaC Explorer after several minutes.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.firefly.ai/integrations/data-sources/aws.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.