How AWS Integration Works (Deep Dive)

Written By Dan Crawford

Last updated 6 days ago

PGP enables secure, scalable assessment of AWS environments through cross-account trust relationships that maintain strict security boundaries. The integration supports both organization-wide and individual account setups, using AWS IAM roles, temporary credentials, and External ID validation to ensure secure, auditable access for resource discovery and configuration assessment.

Architecture and Integration Models

PGP offers two integration paths:

  • Organization-Level Integration: A trust relationship is established within all accounts of the AWS Organization (including the management account). This integration step automatically propagates the deployment to all member accounts, allowing centralized management with per-account visibility.

  • Individual Account Integration: Customers can integrate on a per-account basis, maintaining independent trust relationships and tighter control over permissions.

Both models follow the same access pattern via the PGP Access Broker, an isolated intermediary system that securely mediates between PGP’s core platform and customer AWS environments. This broker handles temporary credential issuance, provides a single audit point, and ensures a clear trust boundary between PGP and customer operations.

For either integration level, the necessary setup can be performed by deploying infrastructure as code (IaC) in the form of Terraform or Cloudformation, or by deploying resources manually.

Secure Cross-Account Access

PGP's integration uses a purpose-built IAM role in the customer account with a trust policy that allows only the Account Broker to assume it. Access is limited to read-only operations and protected by a unique External ID, which prevents unauthorized access (confused deputy attacks) by binding the access request to a specific customer environment.

The External ID is:

  • Unique to each customer and generated by PGP

  • Required in all AssumeRole requests

  • Treated confidentially, even though not classified as a secret

Access Flow and Session Management

When PGP performs an assessment:

  1. A request is sent to the PGP Access Broker.

  2. The Broker assumes the integration role using AWS Security Token Service.

  3. AWS validates the trust policy and External ID.

  4. Temporary credentials (valid for ~1 hour) are issued.

  5. Session credentials are passed to PGP for use in assessment tasks.

This model ensures:

  • No long-term credential storage

  • Automatic credential rotation

  • Seamless access across accounts without user intervention

Security and Access Controls

PGP operates with least privilege, restricting access to read-only operations such as:

  • Resource enumeration and configuration analysis

  • Security posture and compliance checks

It explicitly avoids:

  • Data access or modification

  • IAM or network changes

  • Resource creation or deletion

Requested Access

For AWS integrations, PGP requires the following permissions:

  • AWS Managed Policies:

    • ReadOnlyAccess - Provides read access across all resources. PGP uses read-only access as opposed to view-only access to perform comprehensive secret scanning.

    • SecurityAudit - Provides permissions to review security configurations across a multitude or resource types.

  • Additionally, PGP requires the following permissions via a custom policy to enable complete reviews across your environment:

    • a4b:Get*

    • account:Get*

    • codeartifact:List*

    • drs:Describe*

    • glue:GetConnections

    • lambda:GetFunctionUrlConfig

    • securityhub:BatchImportFindings

    • ssm-incidents:List*

    • support:Describe*

    • wellarchitected:List*

Monitoring and Audit

All activity is fully auditable:

  • AWS CloudTrail logs show access timing, API usage, and geographic context.

  • PGP’s internal logging adds business context, health metrics, and supports real-time anomaly detection.

Revocation is immediate and flexible—customers can delete roles, modify trust policies, or apply org-level blocks. Incident response is supported with automated anomaly detection and comprehensive forensic logs.

Implementation and Benefits

PGP offers:

  • A single integration point for full organizational coverage

  • Automated discovery of new accounts and resources

  • Secure, temporary access without persistent credentials

  • Full auditability with minimal administrative overhead

Assessment capabilities include resource inventory, misconfiguration detection, compliance validation, and trust relationship mapping.

Conclusion

PGP’s integration architecture aligns with AWS best practices to deliver secure, flexible, and auditable access across cloud environments. Through the use of IAM roles, temporary credentials, and unique External IDs, it ensures strong security boundaries while enabling comprehensive cloud security assessments.

For detailed step-by-step instructions, proceed to the appropriate deployment guide based on your preferred method:

  • Follow the Infrastructure as Code guide for automated CloudFormation or Terraform deployment

    • IaC setup should instructions should be used for Control Tower environments

  • Use the Manual Deployment guide for console-based configuration