# Amazon Web Services (AWS)
The Dropzone AI platform integrates with Amazon Web Services (AWS) APIs for ingesting alerts (AWS GuardDuty) and enriching investigations with data from AWS such as CloudWatch.
Dropzone creates a separate IAM role for each customer. This document describes how to enable the Dropzone role to access your AWS environment and configure the Dropzone platform.
## Integration Overview
To enable these integrations you will perform the following actions:
* Enable Cross-Account Access
* Create an IAM role in your account(s)
* Attach policies to the role
* Enable the Dropzone Data Source
* Enable the Dropzone Alert Source
The Dropzone platform has a dedicated IAM role for your organization. You enable cross-account access for this IAM to gain access to specific roles within your AWS accounts.
{% hint style="info" %}
These instructions will work for any account, but you may have different methods for applying them, for example if you are using Control Tower or deploying changes via Infrastructure as Code.
{% endhint %}
You must complete these steps for all AWS accounts you wish to be accessible by Dropzone.
## Enable Cross-Account Access
You need to enable Dropzone to access your AWS environments for it to pull alerts and run investigations. There are several ways you can achieve this:
| Toolset | Documentation | Description |
| --------------------------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Set up roles via the Management Console | [documentation](/integrations/data/aws_data/aws-console_data.md) | Set up roles and create policies in the AWS Console. Several manual steps, highly documented |
| Set up role chaining (Advanced) | [documentation](/integrations/data/aws_data/aws-role-chain_data.md) | Use a central Hub role to access multiple accounts via a consistent role pattern. |
| Use AWS CloudFormation | [documentation](/integrations/data/aws_data/aws-cloudformation_data.md) | Set up roles by running Dropzone's CFTs and copy/pasting in a small number of values |
| Use Infrastructure-as-Code / CLI / etc | see your provider's information | You can create your own IaC by looking at the role and policy information in the [management console](/integrations/data/aws_data/aws-console_data.md) documentation. Dropzone does not provide any pre-canned IaC code at this time. |
Be sure to use one of the above options to enable the cross-account access before moving on to enabling the integrations.
## Available Integrations
The following integrations are available for Dropzone functionality:
| Service Integration | Policy | Required |
| ------------------- | ------------------------------------------ | -------- |
| CloudTrail | `AWSCloudTrail_ReadOnlyAccess`† | Required |
| EC2 | `AmazonEC2ReadOnlyAccess` | Required |
| EKS | `eks:ListClusters`, `eks:DescribeCluster`‡ | Optional |
| GuardDuty | `AmazonGuardDutyReadOnlyAccess` | Optional |
| IAM | `IAMReadOnlyAccess` | Optional |
| Route53 | `AmazonRoute53ReadOnlyAccess` | Optional |
| S3 | `AmazonS3ReadOnlyAccess` | Optional |
| S3 (Outposts) | `AmazonS3OutpostsReadOnlyAccess` | Optional |
| Systems Manager | `AmazonSSMReadOnlyAccess` | Optional |
{% hint style="info" %}
CloudTrail Permissions: Required (Minimum): `AWSCloudTrail_ReadOnlyAccess` managed policy. This provides the minimum permissions needed for CloudTrail integration. The integration will use the `lookup_events` API for querying CloudTrail logs. Optional (Recommended): `cloudtrail:StartQuery` permission on event datastores. This enables CloudTrail Lake SQL queries, which provide more powerful querying capabilities. If this permission is not available, the integration will automatically fall back to the `lookup_events` API. To add this permission, attach a custom policy with:
```json
{
"Effect": "Allow",
"Action": "cloudtrail:StartQuery",
"Resource": "arn:aws:cloudtrail:*:*:eventdatastore/*"
}
```
{% endhint %}
{% hint style="info" %}
‡ EKS Note: AWS does not provide a managed EKS policy. Create a custom policy with `eks:ListClusters`, `eks:DescribeCluster`, and other read-only EKS permissions (`eks:Describe*`, `eks:List*`) as needed.
{% endhint %}
## Enable Amazon Web Services
The Data source integration allows Dropzone AI to interact with AWS APIs, for example pulling CloudWatch information, enumerating EC2 instances, for use in investigation analysis and interactive chat.
You'll need the following information:
| Dropzone Field | Source |
| -------------- | ------------------------------------------------------ |
| Default Region | The AWS region you run most of your services in |
| Role ARNs | The ARNs of the AWS roles you created in your accounts |
To enable the Data Source integration, do the following:
* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, click Settings > Integrations
Integrations Dropdown
* Click "Available"
Click Available
* In the Search bar, search AWS, then click "Configure"
The AWS Tile
* Under the Data Source heading, enter an AWS region into the "Default Region" field, such as "us-west-1"
{% hint style="success" %}
This should be the region that the majority of your monitored resources live in
{% endhint %}
* Unless using role chaining, leave the Hub Role blank
The AWS Data Source Configuration (pt 1)
* Under "Role ARNs", click "Add Item," then input the role ARNs that you created earlier
* You must add each item individually; continue adding roles until done
The AWS Data Source Configuration (pt 2)
* Under "Enabled Services," select which AWS services you want Dropzone to access
The AWS Data Source Configuration (pt 2)
* Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.dropzone.ai/integrations/data/aws_data.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.