Cross-Account Access via Console
There are multiple ways to deploy AWS roles to provide Dropzone visibility into your environment. See the aws documentation for more info.
The following steps walk you through creating a role and granting it to the Dropzone-provided role in the AWS console. This also has the information you'd need to create your own Infrastructure-as-Code configuration if you choose.
Find the Dropzone IAM Role Information
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
In the upper left click on the "Data Sources" button in the upper left do configure the Google Workspace Data Source integration
Click "Data Sources" in the top left corner
Find the "AWS" tile and click Connect
In the top left you'll see section named "Connection". Record the
ARN
andEXTERNAL ID
which you will use later in the AWS JSON Policy
Create the Role
Next you'll create a role in the AWS account you want monitored and available.
You'll need the following information:
Log in to the AWS Management Console for the account where you want to create the role
Open the Identity Access and Management (IAM) dashboard
From the left navigation, select "Access Management" > Roles
Click "Create Role"
Click "Custom Trust Policy"
In the text field below, paste the following policy, replacing the
<Dropzone-provided User ARN>
and<Dropzone-provided External ID>
strings with values from the Dropzone UI you recorded earlier:
Click "Next" in the bottom right
You'll now be on the "Add Permissions" page where you can add AWS pre-built policies
Choose your policy method:
Add the
ReadOnlyAccess
policy which will allow Dropzone to have all policies needed even in the future, orAdd the following policies one-by-one:
Click "Next" when done adding policies
Give the new role the name "Dropzone_AI"
Click "Create Role" in bottom right
From "Identity and Access Management (IAM)" > "Access Management" > Roles search for the new role
Click on the role
In the middle of the page you'll see "Permissions Policies"
Click "Add Permission"
Select "Create Inline Policy"
In the text field paste the following policy, replacing the
<your_accountnumber>
strings with this AWS account ID:
Click Next
Give the new permission the name "Dropzone_AI_Additional"
Click "Create Policy"
You should be returned to the Dropzone_AI
role page and see the policies you've added, including the custom policy.
Record the ARN for this role which we'll use later when configuring the Dropzone Data and Alert Sources
Repeat For Additional AWS Accounts
Repeat the steps taken in the "Create the Role" section for all other AWS accounts you want visible to Dropzone.
Make sure you're keeping a list of all the role ARNs you create along the way - you'll need them later.
Once done, you may move onto configuring the Dropzone Data and Alert Sources.
Once done, you may move onto configuring the Dropzone Data and Alert Sources described in the aws documentation
Last updated