> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS

> Cloud security posture management (CSPM) for AWS

### Overview

Cloud Security Posture Management (CSPM) is the process of securing multi-cloud environments through enhanced visibility, risk and misconfiguration identification, posture assessment, and compliance protocols. CodeAnt AI continuously monitor cloud infrastructure—such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—for gaps in security policy enforcement.

### Key Features

* **Multi-Cloud Support:** Currently supports AWS, GCP and Azure.
* **Seamless Integration:** Connect seamlessly with any cloud provider and continuously monitor for security vulnerabilities, misconfigurations, and compliance issues.

### How It Works

1. **Copy your External ID:**
   * In CodeAnt AI, go to `Settings -> Cloud Security -> AWS`.
   * Copy the **External ID** shown at the top of the form — it's a per-tenant value used to prevent cross-account confused-deputy attacks. You'll paste it into your IAM trust policy in step 2.

2. **Create an IAM role in your AWS account:**

   * Create an IAM **role** and attach the **trust policy** below, replacing `<EXTERNAL_ID>` with the value you copied above:
     ```json theme={null}
     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Principal": {
             "AWS": "arn:aws:iam::785132296666:role/service-role/codeantcibackend-role-u7zwirub"
           },
           "Action": "sts:AssumeRole",
           "Condition": {
             "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
           }
         }
       ]
     }
     ```
   * Attach the AWS managed **`ReadOnlyAccess`** policy. That is the only permission CodeAnt AI needs — it only reads, never writes, creates, or deletes.
   * Copy the **Role ARN** (e.g. `arn:aws:iam::123456789012:role/CodeAntCSPM`).

   <Note>Need tighter, least-privilege access? You can grant CodeAnt AI extremely fine-grained, view-only access instead — see [Fine-grained permissions](#fine-grained-permissions) at the bottom of this page.</Note>

3. **Save in Settings:**
   * Back in `Settings -> Cloud Security -> AWS`, paste the **Role ARN** and your **region**, then save.
   * Click **Validate Permissions** to confirm CodeAnt AI can assume the role and that `ReadOnlyAccess` (or a valid fine-grained set) is attached.

4. **Start a Scan:**
   * Go to `Cloud Security -> Infrastructure Scan` and click **Start New Scan**, then pick your AWS connection.
   * The scan typically completes in 5-20 minutes depending on account size, and results appear under Overview, Findings, Services, and Compliance.

### Benefits

* **Enhanced Visibility:** Gain complete visibility into your cloud infrastructure's security posture.
* **Risk and Misconfiguration Identification:** Continuously identify and address risks and misconfigurations.
* **Compliance Assurance:** Ensure your cloud infrastructure complies with industry standards and protocols.

### Demo

For a detailed use case and step-by-step guide on how to utilize the cloud security feature, check out our demo. The demo provides a comprehensive walkthrough, showing you how to configure settings, start a scan, and interpret the results effectively.

### Fine-grained permissions

We recommend **`ReadOnlyAccess`** for most teams — it's the simplest setup and covers every feature. If your security program calls for tighter, least-privilege access, you can grant CodeAnt AI **extremely fine-grained, view-only** access instead. It's two parts:

**1. Attach AWS's managed security policies — `SecurityAudit` + `ViewOnlyAccess`.**
These are standard AWS managed policies, maintained by AWS — you don't author or maintain their contents. They grant read access to security **configuration/metadata only** (no object, message, or log contents), comparable to how Vanta requests access, and cover the full posture scan, GuardDuty findings, and compliance.

**2. Add this one custom policy.**
It's the only thing you configure yourself — a small set of read-only actions the two managed policies above don't include:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowMoreReadOnly",
      "Effect": "Allow",
      "Action": [
        "account:Get*",
        "appstream:Describe*",
        "appstream:List*",
        "backup:List*",
        "backup:Get*",
        "bedrock:List*",
        "bedrock:Get*",
        "cloudtrail:GetInsightSelectors",
        "codeartifact:List*",
        "codebuild:BatchGet*",
        "codebuild:ListReportGroups",
        "codepipeline:ListTagsForResource",
        "cognito-idp:GetUserPoolMfaConfig",
        "dlm:Get*",
        "drs:Describe*",
        "ds:Get*",
        "ds:Describe*",
        "ds:List*",
        "dynamodb:GetResourcePolicy",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:GetSnapshotBlockPublicAccessState",
        "ec2:GetInstanceMetadataDefaults",
        "ecr:Describe*",
        "ecr:GetRegistryScanningConfiguration",
        "elasticfilesystem:DescribeBackupPolicy",
        "glue:GetConnections",
        "glue:GetSecurityConfiguration*",
        "glue:SearchTables",
        "glue:GetMLTransforms",
        "lambda:GetFunction*",
        "logs:FilterLogEvents",
        "lightsail:GetRelationalDatabases",
        "macie2:GetMacieSession",
        "macie2:GetAutomatedDiscoveryConfiguration",
        "s3:GetAccountPublicAccessBlock",
        "shield:DescribeProtection",
        "shield:GetSubscriptionState",
        "securityhub:GetFindings",
        "servicecatalog:Describe*",
        "servicecatalog:List*",
        "ssm:GetDocument",
        "ssm-incidents:List*",
        "states:ListTagsForResource",
        "support:Describe*",
        "tag:GetTagKeys",
        "wafv2:ListIPSets",
        "wafv2:GetIPSet",
        "wafv2:ListWebACLs",
        "wafv2:GetWebACL",
        "wafv2:GetWebACLForResource",
        "wafv2:ListResourcesForWebACL",
        "wafv2:GetLoggingConfiguration",
        "wellarchitected:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAPIGatewayReadOnly",
      "Effect": "Allow",
      "Action": ["apigateway:GET"],
      "Resource": [
        "arn:*:apigateway:*::/restapis/*",
        "arn:*:apigateway:*::/apis/*"
      ]
    }
  ]
}
```

**3. (Optional) Enable API-abuse / WAF-log detection — attach `CloudWatchLogsReadOnlyAccess`.**
The view-only set above does not read log contents, so the **API Abuse** tab stays empty. To enable it, also attach the AWS managed policy **`CloudWatchLogsReadOnlyAccess`** — this lets CodeAnt AI analyze your WAF and API Gateway logs to flag suspicious client IPs. It reads edge-log content (client IPs and request bodies), so it's fully opt-in.

<Note>Strict-minimal alternative to `CloudWatchLogsReadOnlyAccess`: a custom policy granting only `logs:DescribeLogGroups`, `logs:StartQuery`, and `logs:GetQueryResults` on `Resource: "*"`.</Note>

**4. (Optional) Enable container scanning — attach `AmazonEC2ContainerRegistryReadOnly`.**
Container scanning reads and scans your ECR images, which requires pulling image layers — the view-only policies above can only list repositories, not download images. To enable it, also attach the AWS managed policy **`AmazonEC2ContainerRegistryReadOnly`**. It grants read-only access to your ECR registry (`ecr:DescribeRepositories`, `ecr:DescribeImages`, `ecr:GetAuthorizationToken`, `ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage`, and related read actions) so CodeAnt AI can pull and scan images for vulnerabilities and secrets.