Amazon Web Services - Manual Deployment

Written By Dan Crawford

Last updated 6 days ago

This guide walks you through manually integrating your AWS environment with PGP to enable comprehensive security monitoring and vulnerability assessment across your cloud infrastructure. While we recommend using our Infrastructure as Code (IaC) integration for automated deployment and easier maintenance, the manual deployment process gives you full control over the integration setup while ensuring secure, read-only access to your AWS resources.

Prerequisites

Before starting the integration, ensure you have:

  • AWS CLI or console access with sufficient permissions to create IAM roles, policies, and Cloudformation stacks
  • Organization management administrator permissions (for Organization-level integration)
  • Account administrator permissions (for individual account integration)

Integration Process

Step 1 - Initiate Integration Setup

  1. Navigate to the Integrations section in your PGP dashboard
  2. Click "Add Integration" and select "AWS"
  3. Choose your integration scope and follow the prompts

We recommend you integrate at the Organization level for more comprehensive and accurate coverage of security weaknesses across your environment. For Organization-level integration, you'll need to provide:

  • Account ID: Your AWS management account ID (12-digit number)
  • Deployment Type: Manual

For individual account integration, you'll need to provide:

  • Account ID: The specific AWS account ID you want to integrate
  • Deployment Type: Manual

Step 2 - Create Cloud Resources

The system generates a unique external ID for this integration when you submit the form with the required account information.

Copy this external ID as you will user it in AWS later.

  1. Create an IAM role with the following configuration:
    • Role Name: PGP-integration-role
    • Trust Policy: Allow PGP's AWS account to assume the role with your unique external ID (this is shown in the PGP integration set-up modal)
    • Permissions: Attach the following AWS managed policies:
      • ReadOnlyAccess
      • SecurityAudit
      • AmazonInspector2ReadOnlyAccess
    • Additional Permissions: Create an inline policy with the following permissions:
{ "Statement": [ { "Action": [ "a4b:Get*", "account:Get*", "codeartifact:List*", "drs:Describe*", "glue:GetConnections", "lambda:GetFunctionUrlConfig", "securityhub:BatchImportFindings", "ssm-incidents:List*", "support:Describe*", "wellarchitected:List*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17"}
  1. Trust Policy: Set the trust policy as follows after adding your unique external ID from above
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::992382785633:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR-UNIQUE-EXTERNAL-ID" } } } ]}

NOTE: If you prefer manual setup (as opposed to infrastructure as code), you must ensure the appropriate role is created in ALL accounts (including the Organization management account) for the Organization-level integration.

NOTE: When integrating at the Organization level, if you do not create the role in the Organization management account for a full integration, our workloads will not be able to retrieve information about other accounts and the integration will not yield results.

Step 3 - Complete the Integration

  1. After creating the necessary resources, return to the PGP integration modal
  2. Click "Finish" to complete the integration

When you do this, PGP will automatically:

  • Validate the integration by attempting to assume the deployed role
  • Verify validity of access to your AWS environment
  • Add the integration to your integrations list upon successful validation

Next Steps

Once your AWS integration is successfully configured, PGP will begin discovering and analyzing your cloud infrastructure. PGP is now able to inventory your resources and identify potential security vulnerabilities.

Monitor your integration status in PGP, where you'll be able to view discovered assets, security findings, and compliance assessments across your AWS environment.

Support

If you encounter any issues during the integration process or need assistance with troubleshooting, please don't hesitate to reach out to our support team at support@praetorian.com. Our team is ready to help ensure your AWS integration is configured correctly and operating smoothly.