Cross-Account Access via CloudFormation

There are multiple ways to deploy AWS roles to provide Dropzone visibility into your environment. See the aws documentation for more info.

Dropzone provides CloudFormation Templates (CFTs) that assist you in creating the IAM Role you need to integrate with Dropzone. The new role includes a custom trust policy, an AWS-managed ReadOnlyAccess policy, and an inline policy granting specific permissions for secure and streamlined Dropzone operations.

There are two CFTs available:

Name	CFT Link	Purpose
ReadOnly	link	This policy provides read-only access to all your AWS resources. Use this if you do not want to edit your role if more permissions are required in the future.
Minimum ReadOnly	link	This policy provides read-only access to only those AWS resources currently needed by Dropzone. Use this if you are prepared to edit your Policies in the future if Dropzone adds new functionality that requires more access.

Name

CFT Link

Purpose

ReadOnly

link

This policy provides read-only access to all your AWS resources. Use this if you do not want to edit your role if more permissions are required in the future.

Minimum ReadOnly

link

This policy provides read-only access to only those AWS resources currently needed by Dropzone. Use this if you are prepared to edit your Policies in the future if Dropzone adds new functionality that requires more access.

Both create a Custom Trust Policy that ensures secure role assumption by Dropzone, using the provided External ID and User ARN.

The current Minimum ReadOnly access list is as follows:

Policy

Policy
`AWSCloudTrail_ReadOnlyAccess`
`AmazonEC2ReadOnlyAccess`
`AmazonGuardDutyReadOnlyAccess`
`AmazonRoute53ReadOnlyAccess`
`AmazonS3OutpostsReadOnlyAccess`
`AmazonS3ReadOnlyAccess`
`AmazonSSMReadOnlyAccess`
`IAMReadOnlyAccess`

AWSCloudTrail_ReadOnlyAccess

AmazonEC2ReadOnlyAccess

AmazonGuardDutyReadOnlyAccess

AmazonRoute53ReadOnlyAccess

AmazonS3OutpostsReadOnlyAccess

AmazonS3ReadOnlyAccess

AmazonSSMReadOnlyAccess

IAMReadOnlyAccess

Find the Dropzone IAM Role Information

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
In the upper left click on the "Data Sources" button in the upper left do configure the Google Workspace Data Source integration

Click "Data Sources" in the top left corner

Find the "AWS" tile and click Connect

In the top left you'll see section named "Connection". Record the ARN and EXTERNAL ID which you will use later in the AWS CloudFormation UI

Running the CloudFormation Template

You will need to repeat these instructions for each account you want visible to Dropzone.

Log into your AWS account
Go to the CloudFromation console, https://console.aws.amazon.com/cloudformation/
Click on "Create Stack" > "With new resources (standard)"

If this is your first stack, then the option will not have "With new resources"

In the "Prerequisite - Prepare template" select "Choose an exiting template"
In the "Specify template" section
- Select "Amazon S3 URL"
- In the "Amazon S3 URL" field paste the link to the CFT you've chosen to use (e.g. ReadOnly) from the table at the top of this document.

Click "Next"
Enter a "Stack name", e.g. "Dropzone-AI"

In the Parameters section fill out the information you gathered from the Dropzone UI

Click "Next"
On the "Configure stack options" page click "Next"
On the "Review and create" page click "Submit"

Once the stack creation is complete, click Outputs
Record the value for the RoleARN for use later in the Dropzone UI where it will be known as "Role ARNs"

Repeat for additional AWS accounts

Once done, you may move onto configuring the Dropzone Data and Alert Sources described in the aws documentation

PreviousAmazon Web Services (AWS)NextCross-Account Access via Console

Last updated 6 days ago