# Cross-Account Access via Console {% hint style="info" %} There are multiple ways to deploy AWS roles to provide Dropzone visibility into your environment. See [the AWS documentation](/integrations/data/aws_data.md) for more info. {% endhint %} The following steps walk you through creating a role and granting it to the Dropzone-provided role in the AWS console. This also has the information you'd need to create your own Infrastructure-as-Code configuration if you choose. ### Find the Dropzone IAM Role Information * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search AWS, then click "Configure"

* Under the "Connection" section, record the `ARN` and `EXTERNAL ID` values, for use later in the AWS CloudFormation UI

### Create the Role Next you'll create a role in the AWS account you want monitored and available. You'll need the following information: | Value | Used In | Source | | ----------------------------- | --------------------------------- | ------------------------------------------------------------------------- | | Dropzone-provided ARN | AWS Role Custom Trust Policy JSON | `ARN` value from the AWS Data Source "Connection" section | | Dropzone-provided External ID | AWS Role Custom Trust Policy JSON | `External ID` value from the AWS Data Source "Connection" section | | AWS Account ID | Custom Permissions Policy JSON | Find this in the user/role dropdown in the upper right of the AWS console | * Log in to the AWS Management Console for the account where you want to create the role * Open the Identity Access and Management (IAM) dashboard

* From the left navigation, select "Access Management" > Roles * Click "Create Role"

* Click "Custom Trust Policy"

* In the text field below, paste the following policy, replacing the `` and `` strings with the values from the Dropzone UI you recorded earlier: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "" } } } ] } ``` * In the bottom right, click "Next" * You'll now be on the "Add Permissions" page where you can add AWS pre-built policies

* You may add policies in one of two ways. You may add the `ReadOnlyAccess` policy, which will allow Dropzone to have all policies needed even in the future, or add the following policies one-by-one as needed: | Service Integration | Policy | Required | | ------------------- | ------------------------------------------ | -------- | | CloudTrail | `AWSCloudTrail_ReadOnlyAccess`† | Required | | EC2 | `AmazonEC2ReadOnlyAccess` | Required | | EKS | `eks:ListClusters`, `eks:DescribeCluster`‡ | Optional | | GuardDuty | `AmazonGuardDutyReadOnlyAccess` | Optional | | IAM | `IAMReadOnlyAccess` | Optional | | Route53 | `AmazonRoute53ReadOnlyAccess` | Optional | | S3 | `AmazonS3ReadOnlyAccess` | Optional | | S3 (Outposts) | `AmazonS3OutpostsReadOnlyAccess` | Optional | | Systems Manager | `AmazonSSMReadOnlyAccess` | Optional | {% hint style="info" %} CloudTrail Permissions: Required (Minimum): `AWSCloudTrail_ReadOnlyAccess` managed policy. This provides the minimum permissions needed for CloudTrail integration. The integration will use the `lookup_events` API for querying CloudTrail logs. Optional (Recommended): `cloudtrail:StartQuery` permission on event datastores. This enables CloudTrail Lake SQL queries, which provide more powerful querying capabilities. If this permission is not available, the integration will automatically fall back to the `lookup_events` API. To add this permission, attach a custom policy with: ```json { "Effect": "Allow", "Action": "cloudtrail:StartQuery", "Resource": "arn:aws:cloudtrail:*:*:eventdatastore/*" } ``` {% endhint %} {% hint style="info" %} EKS Note: AWS does not provide a managed EKS policy. Create a custom policy with `eks:ListClusters`, `eks:DescribeCluster`, and other read-only EKS permissions (`eks:Describe*`, `eks:List*`) as needed. {% endhint %} * You may add permissions in one of two ways. You may add the `ReadOnlyAccess` permission policy, which will allow Dropzone to have all permissions needed even in the future, or add the following policies one-by-one | Permissions Policy | | -------------------------------- | | `AWSCloudTrail_ReadOnlyAccess` | | `AmazonEC2ReadOnlyAccess` | | `AmazonGuardDutyReadOnlyAccess` | | `AmazonRoute53ReadOnlyAccess` | | `AmazonS3OutpostsReadOnlyAccess` | | `AmazonS3ReadOnlyAccess` | | `AmazonSSMReadOnlyAccess` | | `IAMReadOnlyAccess` | * Click "Next" when done adding permissions * Give the new role the name "Dropzone\_AI"

* In the bottom right, click "Create Role"

## Add a custom permission policy * Navigate to "Identity and Access Management (IAM)" > "Access Management" > "Roles" * Search for the new role and click on it

* In the middle of the page, you'll see "Permissions Policies"

* Click "Add Permission" * Select "Create Inline Policy"

* In the text field, paste the following policy, replacing the `` strings with this AWS account ID: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudTrailStartQuery", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "cloudtrail:StartQuery" ], "Resource": [ "arn:aws:kms:*::key/*", "arn:aws:cloudtrail:*::eventdatastore/*" ] }, { "Sid": "EKSReadOnly", "Effect": "Allow", "Action": [ "eks:Describe*", "eks:List*" ], "Resource": "*" } ] } ```

* Click "Next" * Give the new permission the name "Dropzone\_AI\_Additional" * Click "Create Policy" You should be returned to the `Dropzone_AI` role page and see the policies you've added, including the custom policy. * Record the ARN for this role for use later in the Dropzone UI when configuring the Dropzone Data and Alert Sources, where it will be referred to as the "Role ARN"

## Repeat For Additional AWS Accounts Repeat the steps taken in the "Create the Role" section for all other AWS accounts you want visible to Dropzone. {% hint style="info" %} Make sure you're keeping a list of all the role ARNs you create along the way - you'll need them later. {% endhint %} Once done, you may move onto configuring the Dropzone Data and Alert Sources described in [the AWS documentation](/integrations/data/aws_data.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/integrations/data/aws_data/aws-console_data.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.