SECTION 03 / PROVIDERS
Connect AWS
Configure a least-privilege, read-only IAM role for Costframe AWS analysis. Includes customer-controlled external IDs to mitigate confused-deputy vectors, as part of our multi-cloud audit automation.
AWS integrations support on-demand and manual audit requests. Background scanning executes periodically based on your organization's configured cron intervals.
Least-Privilege Policy Structure
The following inline policy grants Costframe access to query inventory and Cost Explorer metrics. Raw permissions can be audited and are restricted to read actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"organizations:ListAccounts",
"tag:GetResources"
],
"Resource": "*"
}
]
}Step-by-Step Setup
- 1
Create IAM Trust Role
In the AWS Console under IAM, choose Create role. Select Another AWS account as the trusted entity type.
Setup illustration - 2
Configure External ID
Input Costframe’s central AWS Account ID, check Require external ID, and supply the randomized string displayed inside your Costframe workspace connection dashboard. This prevents confused-deputy cross-tenant vectors.
- 3
Attach Policy
Create an IAM policy with the JSON document structure detailed above, and attach it to your trust role. Save the role with a clear identifier such as
Costframe-ReadOnly. - 4
Provide Role ARN
Copy the generated Role ARN and input it inside your Costframe workspace setting screen to queue initial connection validation.
Revoke access at any time
To end connections instantly, simply delete the trust role or detach its trust policy inside your AWS IAM Console. All ingestion scanning attempts will fail immediately.