# AWS

By integrating Shisho Cloud with AWS, you can perform security scanning on your AWS account.
This integration takes two steps:

1.  **Create an IAM role in the target AWS account that Shisho Cloud can assume, along with the corresponding identity provider.**
2.  **Register the ARN of the created IAM role with Shisho Cloud.**

:::info
Shisho Cloud does not require an IAM access key. Instead, it accesses AWS using Web Identity Federation with `sts:AssumeRoleWithWebIdentity`, issuing short-lived authentication credentials as needed.
This is essentially the same mechanism used by [GitHub Actions for OIDC-based AWS/Google Cloud integration](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/).
:::

## Creating an IAM Role

Create an IAM role using one of the following methods:

:::info
The `s3:GetObject` action on certain resources is restricted so that Shisho Cloud cannot access S3 objects within the AWS account you link. Therefore, even if you link your AWS account to Shisho Cloud, Shisho Cloud will not read the data stored in your S3 buckets.

However, Shisho Cloud has read access to some S3 objects **outside** the AWS account you link. Specifically, it has access to S3 objects where `s3:ResourceAccount`, which represents the account containing the resources, is different from the account where the role used by Shisho Cloud exists. This is necessary for inspecting Elastic Beanstalk settings. AWS internally stores Elastic Beanstalk configuration information in an S3 bucket (`arn:aws:s3:::elasticbeanstalk-env-resources-*/*`, etc.) managed by a separate AWS account. When using some Elastic Beanstalk APIs, the caller must have relevant permissions to access the bucket. You can verify that the AWS-managed IAM policy [AWSElasticBeanstalkRoleCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSElasticBeanstalkRoleCore.html) includes such permissions.
:::

<Tabs>
<TabItem value="terraform" label="Terraform" default>

**After changing the value of the variable `shisho_cloud_org_id` to your Shisho Cloud organization ID**, add the following Terraform code to your Terraform project and run `terraform apply`.

<CodeBlock language="hcl">{AWSSetupTerraform}</CodeBlock>

</TabItem>
<TabItem value="awscli" label="AWS CLI">

To create the required resources (identity provider and IAM role), run the following script, **after modifying the value of `SHISHO_ORG_ID` at the beginning (required) and the value of `AWS_CLI_OPTS` (optional) as needed**:

<CodeBlock language="shell">{AWSSetupShellScript}</CodeBlock>

</TabItem>

<TabItem value="cloudformation" label="CloudFormation">

Create an IAM role using the following CloudFormation template.
When using this template, specify your Shisho Cloud organization ID for the `ShishoCloudOrgId` parameter.

<CodeBlock language="yaml">{AWSSetupCloudFormation}</CodeBlock>

</TabItem>
</Tabs>

Make a note of the ARN of the created IAM role. If you used the default settings above, the ARN should look like `arn:aws:iam::123456789012:role/ShishoCloudSecurityAudit`.

## Registering the ARN with Shisho Cloud

Click the "Settings" button on the "AWS" card in the ":gear: > Integrations" screen, and follow the on-screen instructions to enter the ARN.

Once you have completed the input, the role ARN should appear on the settings page with a check mark, as shown below:
![](/docs/_md-assets/850bfa75ce-integrations-aws.png)

This completes the AWS integration setup. Shisho Cloud can now access your AWS account.

:::info

Due to AWS caching, Shisho Cloud may not be able to access AWS for a few minutes after integration.
If the settings are not applied immediately, please wait up to 5 minutes.

:::

:::warning

If you are unable to integrate with AWS correctly by following the above steps, please contact the service provider (Flatt Security).

:::