WebsiteTest DriveStatus

Cross-Account Access via CloudFormation

There are multiple ways to deploy AWS roles to provide Dropzone visibility into your environment. See the AWS documentation for more info.

Dropzone provides CloudFormation Templates (CFTs) that assist you in creating the IAM Role you need to integrate with Dropzone. The new role includes a custom trust policy, an AWS-managed ReadOnlyAccess policy, and an inline policy granting specific permissions for secure and streamlined Dropzone operations.

There are two CFTs available:

Name
CFT Link
Purpose

ReadOnly

link

This policy provides read-only access to all your AWS resources. Use this if you do not want to edit your role if more permissions are required in the future.

Minimum ReadOnly

link

This policy provides read-only access to only those AWS resources currently needed by Dropzone. Use this if you are prepared to edit your Policies in the future if Dropzone adds new functionality that requires more access.

Both create a Custom Trust Policy that ensures secure role assumption by Dropzone, using the provided External ID and User ARN.

The following integrations are available for Minimum ReadOnly access:

Service Integration
Policy
Required

CloudTrail

AWSCloudTrail_ReadOnlyAccess

Required

EC2

AmazonEC2ReadOnlyAccess

Required

EKS

eks:ListClusters, eks:DescribeCluster

Optional

GuardDuty

AmazonGuardDutyReadOnlyAccess

Optional

IAM

IAMReadOnlyAccess

Optional

Route53

AmazonRoute53ReadOnlyAccess

Optional

S3

AmazonS3ReadOnlyAccess

Optional

S3 (Outposts)

AmazonS3OutpostsReadOnlyAccess

Optional

Systems Manager

AmazonSSMReadOnlyAccess

Optional

† CloudTrail Permissions:

  • Required (Minimum): AWSCloudTrail_ReadOnlyAccess managed policy. This provides the minimum permissions needed for CloudTrail integration. The integration will use the lookup_events API for querying CloudTrail logs.

  • Optional (Recommended): cloudtrail:StartQuery permission on event datastores. This enables CloudTrail Lake SQL queries, which provide more powerful querying capabilities. If this permission is not available, the integration will automatically fall back to the lookup_events API. To add this permission, attach a custom policy with:

    {
  "Effect": "Allow",
  "Action": "cloudtrail:StartQuery",
  "Resource": "arn:aws:cloudtrail:*:*:eventdatastore/*"
}

‡ EKS Note: AWS does not provide a managed EKS policy. Create a custom policy with eks:ListClusters, eks:DescribeCluster, and other read-only EKS permissions (eks:Describe*, eks:List*) as needed.

Find the Dropzone IAM Role Information

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search AWS, then click "Configure"

The AWS Tile

  • Under the "Connection" section, record the ARN and EXTERNAL ID values, for use later in the AWS CloudFormation UI

The AWS Connection Information

Running the CloudFormation Template

You will need to repeat these instructions for each account you want to be visible to Dropzone.

Create Stack Button

If this is your first stack, then the option will not have "With new resources"

Create Stack Button

  • In the "Prerequisite - Prepare template" section, select "Choose an exiting template"

  • In the "Specify template" section, select "Amazon S3 URL"

  • In the "Amazon S3 URL" field, input the link to the CFT you've chosen to use (e.g. ReadOnly) from the table at the top of this document

Template specification

  • Click "Next"

  • Enter a "Stack name", e.g. "Dropzone-AI"

Stack Name

  • In the Parameters section fill out the information you gathered from the Dropzone UI

Stack Paramaters

  • Click "Next"

  • On the "Configure stack options" page click "Next"

  • On the "Review and create" page click "Submit"

Create the stack via the Submit button

  • Once the stack creation is complete, click Outputs

  • Record the RoleARN value shown for use later in the Dropzone UI where it will referred to as "Role ARNs"

Output Role ARN

  • If you have additional AWS accounts, repeat the process for each of them

Once done, you may move onto configuring the Dropzone Data and Alert Sources described in the AWS documentation

PreviousAmazon Web Services (AWS)NextCross-Account Access via Console

Last updated

Was this helpful?