Cross-Account Access via Console

There are multiple ways to deploy AWS roles to provide Dropzone visibility into your environment. See the AWS documentation for more info.

The following steps walk you through creating a role and granting it to the Dropzone-provided role in the AWS console. This also has the information you'd need to create your own Infrastructure-as-Code configuration if you choose.

Find the Dropzone IAM Role Information

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search AWS, then click "Configure"

Under the "Connection" section, record the ARN and EXTERNAL ID values, for use later in the AWS CloudFormation UI

Create the Role

Next you'll create a role in the AWS account you want monitored and available.

You'll need the following information:

Value

Used In

Source

Dropzone-provided ARN

AWS Role Custom Trust Policy JSON

ARN value from the AWS Data Source "Connection" section

Dropzone-provided External ID

AWS Role Custom Trust Policy JSON

External ID value from the AWS Data Source "Connection" section

AWS Account ID

Custom Permissions Policy JSON

Find this in the user/role dropdown in the upper right of the AWS console

Log in to the AWS Management Console for the account where you want to create the role
Open the Identity Access and Management (IAM) dashboard

From the left navigation, select "Access Management" > Roles
Click "Create Role"

Click "Custom Trust Policy"

In the text field below, paste the following policy, replacing the <Dropzone-provided User ARN> and <Dropzone-provided External ID> strings with the values from the Dropzone UI you recorded earlier:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<Dropzone-provided User ARN>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<Dropzone-provided External ID>"
                }
            }
        }
    ]
}

In the bottom right, click "Next"
You'll now be on the "Add Permissions" page where you can add AWS pre-built policies

You may add policies in one of two ways. You may add the ReadOnlyAccess policy, which will allow Dropzone to have all policies needed even in the future, or add the following policies one-by-one as needed:

Service Integration

Policy

Required

CloudTrail

AWSCloudTrail_ReadOnlyAccess†

Required

EC2

AmazonEC2ReadOnlyAccess

Required

EKS

eks:ListClusters, eks:DescribeCluster‡

Optional

GuardDuty

AmazonGuardDutyReadOnlyAccess

Optional

IAM

IAMReadOnlyAccess

Optional

Route53

AmazonRoute53ReadOnlyAccess

Optional

AmazonS3ReadOnlyAccess

Optional

S3 (Outposts)

AmazonS3OutpostsReadOnlyAccess

Optional

Systems Manager

AmazonSSMReadOnlyAccess

Optional

† CloudTrail Permissions:

Required (Minimum): AWSCloudTrail_ReadOnlyAccess managed policy. This provides the minimum permissions needed for CloudTrail integration. The integration will use the lookup_events API for querying CloudTrail logs.
Optional (Recommended): cloudtrail:StartQuery permission on event datastores. This enables CloudTrail Lake SQL queries, which provide more powerful querying capabilities. If this permission is not available, the integration will automatically fall back to the lookup_events API. To add this permission, attach a custom policy with:
```
{
  "Effect": "Allow",
  "Action": "cloudtrail:StartQuery",
  "Resource": "arn:aws:cloudtrail:*:*:eventdatastore/*"
}
```

‡ EKS Note: AWS does not provide a managed EKS policy. Create a custom policy with eks:ListClusters, eks:DescribeCluster, and other read-only EKS permissions (eks:Describe*, eks:List*) as needed.

Click "Next" when done adding policies
Give the new role the name "Dropzone_AI"

In the bottom right, click "Create Role"

Navigate to "Identity and Access Management (IAM)" > "Access Management" > "Roles"
Search for the new role and click on it

In the middle of the page, you'll see "Permissions Policies"

Click "Add Permission"
Select "Create Inline Policy"

In the text field, paste the following policy, replacing the <your_accountnumber> strings with this AWS account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudTrailStartQuery",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "cloudtrail:StartQuery"
            ],
            "Resource": [
                "arn:aws:kms:*:<your_accountnumber>:key/*",
                "arn:aws:cloudtrail:*:<your_accountnumber>:eventdatastore/*"
            ]
        },
        {
		 "Sid": "EKSReadOnly",
		 "Effect": "Allow",
		 "Action": [
		     "eks:Describe*",
		     "eks:List*"
		 ],
		 "Resource": "*"
	  }

    ]
}

Click "Next"
Give the new permission the name "Dropzone_AI_Additional"
Click "Create Policy"

You should be returned to the Dropzone_AI role page and see the policies you've added, including the custom policy.

Record the ARN for this role for use later in the Dropzone UI when configuring the Dropzone Data and Alert Sources, where it will be referred to as the "Role ARN"

Repeat For Additional AWS Accounts

Repeat the steps taken in the "Create the Role" section for all other AWS accounts you want visible to Dropzone.

Make sure you're keeping a list of all the role ARNs you create along the way - you'll need them later.

Once done, you may move onto configuring the Dropzone Data and Alert Sources described in the AWS documentation

PreviousCross-Account Access via CloudFormation NextBlocklist.de

Last updated 17 days ago

Was this helpful?