Chariot integrates with AWS using cross-account IAM roles to provide secure, temporary access to your AWS resources, i.e., no long-term credentials. The integration is supported at the AWS Organization level as well as individual account level.
Chariot uses a secure two-hop assume role pattern:
- Internal Role Assumption: Chariot first assumes an internal integration role within its own AWS account
- Customer Role Assumption: The internal role then assumes the customer-deployed role in your AWS environment using a unique external ID (UUIDv4)
- Temporary Credentials: As a result, only short-lived credentials are used for secure access to your AWS resources
This architecture ensures proper isolation and prevents confused deputy attacks through unique external IDs per customer.
Integration Options
Chariot provides integrations at both the Organization and account level. Praetorian recommends integrating at the Organization level for the most comprehensive coverage and experience.
For either integration level, the necessary setup can be performed by deploying infrastructure as code (IaC) in the form of Terraform or Cloudformation, or by deploying resources manually. Praetorian recommends deploying via Cloudformation.
Refer to the following articles for detailed instructions on each of the deployment methods:
- Infrastructure as Code - Covers both Terraform and Cloudformation deployments.
- Manual Deployment - Step-by-step AWS console-based setup instructions.
Requested Access
For AWS integrations, Chariot requires the following permissions:
- AWS Managed Policies:
- ReadOnlyAccess - Provides read access across all resources. Chariot uses read-only access as opposed to view-only access to perform comprehensive secret scanning.
- SecurityAudit - Provides permissions to review security configurations across a multitude or resource types.
- Additionally, Chariot requires the following permissions via a custom policy to enable complete reviews across your environment:
- a4b:Get*
- account:Get*
- codeartifact:List*
- drs:Describe*
- glue:GetConnections
- lambda:GetFunctionUrlConfig
- securityhub:BatchImportFindings
- ssm-incidents:List*
- support:Describe*
- wellarchitected:List*
Next Steps
Once you've chosen your preferred integration method and deployment approach, you're ready to begin connecting your AWS environment to Chariot. The integration process will establish secure, temporary access to your AWS resources while maintaining the highest security standards through cross-account IAM role assumption with unique external IDs.
After successful integration, Chariot will begin monitoring your AWS environment and providing comprehensive security insights across your Organization or individual accounts, depending on your chosen scope. You can monitor the status of your integration and view security findings through the Chariot dashboard.
For detailed step-by-step instructions, proceed to the appropriate deployment guide based on your preferred method:
- Follow the Infrastructure as Code guide for automated CloudFormation or Terraform deployment
- Use the Manual Deployment guide for console-based configuration
Your AWS resources will be continuously monitored with the read-only and security audit permissions outlined above, ensuring comprehensive visibility into your cloud security posture without any impact to your production workloads.
Articles in this section
- Amazon Web Services Integration - Overview
- Amazon Web Services - IaC Deployment (Recommended)
- Amazon Web Services - Manual Deployment
- Google Cloud Platform Integration - Overview
- Google Cloud Platform - IaC Deployment (Recommended)
- Google Cloud Platform - Manual Deployment
- Microsoft Azure Integration - Overview
- Microsoft Azure - IaC Deployment (Recommended)
- Microsoft Azure - Manual Deployment
- Digital Ocean Integration