Skip to main content
All CollectionsSetup & ConfigurationIntegrationsCloud Services
Setup Amazon Web Service (AWS) Integration
Setup Amazon Web Service (AWS) Integration

This guide demonstrates how to set up the AWS integration or use CloudForamtion manually.

Updated over 2 months ago

Overview

This guide provides an overview of integrating an AWS account or Organization account with Axiom using a CloudFormation template or a manual process.

This involves creating an IAM role and associated policies to allow Axiom’s AWS account to make API calls into your AWS account to collect data and automate access actions (Automation is disabled by default). The CloudFormation template provides the configuration needed to successfully send all the needed data to your Axiom account.

With a single click, Axiom provisions the necessary resources in your AWS account and begins collecting data. This guide demonstrates how to set up the AWS integration or use CloudForamtion manually.

You can also use the API, AWS-CLI, or Terraform to set up multiple accounts.

Important!

Before starting, ensure you have an AWS user with administrative IAM permissions to perform the following steps successfully.

A Step-by-step guide - Organization Management Account

Web Console

  1. Log in to your AWS Organization Management account

  2. Navigate to CloudFormation

  3. Click on Create Stack > With new resource (standard)

  4. In the following screen, keep everything as default and specify the URL to our CloudFormation template

    https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiom.yaml

  5. Click 'Next'

6. In the Specify stack details screen, enter the following details:

  • Stack name: axiom-integration-mgmt

  • ExternalId: a random string representing your external-id

  • AccessManagement: true

  • AxiomAWSAccountId: Keep it as the default unless you're using a Self-hosted Runner. In that case, enter your own AWS Account ID

7. Click 'Next'

💡 NOTE: The Cloudformation was updated to be explicit. All options will be 'enabled' (=true) by default.

  • If you want to disable an option (e.g., cancel E2C scan, Read-only to a specific person, Collect S3, etc.) change your selection to 'false' (=disable).

  • Make sure that ‘IdentityCenterAccessManagement’ is marked as 'true' if you want Axiom to be able to scan the identity center.

8. In the Configure stack options screen:

  1. Review your configuration

  2. scroll down

  3. check the checkbox allowing CloudFormation to create IAM Resources

  4. Click 'Next'

AWS CLI

Create CloudFormation Stack

aws cloudformation create-stack --template-url https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiom_integration_role.yaml --stack-name axiom-integration-mgmt --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=AccessManagement,ParameterValue=true ParameterKey=ExternalId,ParameterValue=<external-id> 
ParameterKey=AxiomAWSAccountId,ParameterValue=172796517899

  1. Replace <external-id> with a random string and save it for later.
    ParameterKey=ExternalId,ParameterValue=<external-id>

  2. When running with an Axiom Self-hosted Runner in your environment, change the AWS Account ID to your own

    ParameterKey=AxiomAWSAccountId,ParameterValue=172796517899

A Step-by-step guide -Organization Member Accounts

Web Console

  1. Log in to your AWS Organization Member account

  2. Navigate to CloudFormation

  3. Click on Create Stack > With new resource (standard)

  4. In the following screen, keep everything as default and specify the URL to our CloudFormation template

    https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiom.yaml

  5. Click 'Next'

  6. In the Specify stack details screen, enter the following details:

    • Stack name: axiom-integration-member

    • ExternalId: a random string representing your external-id

    • AccessManagement: false

    • AxiomAWSAccountId: Keep it as the default unless you're using a Self-hosted Runner. In that case, enter your own AWS Account ID

  7. Click 'Next'

  8. Leave everything as default in the Configure StackSet options screen

  9. Click 'Next'

  10. In the following screen, keep everything as default and specify your active region.


11. In the following screen, review your configuration, scroll down, and check the checkbox allowing CloudFormation to create IAM Resources

12. Click 'Next'


AWS CLI

Step 1: Create CloudFormation StackSet

aws cloudformation create-stack-set --template-url https://axiom-cloudformation-template.s3.eu-central-1.amazonaws.com/axiom_integration_role.yaml --stack-set-name axiom-integration-member --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false --parameters ParameterKey=AccessManagement,ParameterValue=false ParameterKey=ExternalId,ParameterValue=<external-id> ParameterKey=AxiomAWSAccountId,ParameterValue=172796517899

Replace <external-id> with a random string and save it for later.

ParameterKey=ExternalId,ParameterValue=<external-id>

When running with an Axiom Self-hosted Runner in your environment, change the AWS Account ID to your own

ParameterKey=AxiomAWSAccountId,ParameterValue=172796517899

Step 2: Create CloudFormation StackSet Instances

After creating the CloudFormation StackSet, create the instances in your Member Accounts.

aws cloudformation create-stack-instances --stack-set-name axiom-integration-member --regions <region> --deployment-targets OrganizationalUnitIds=<id>

Step 3: Deploy the CloudFormation Stacks to the Entire Organization

Use the following command to get your Organization Root ID

aws organizations list-roots | jq -r '.Roots[0].Arn | split("/")[-1]'

The output of this command should look like this

r-abcd

Replace <id> with your ID.

OrganizationalUnitIds=<id>

Replace <region> with your active region.

--regions <region>

Step 4: Deploy the CloudFormation Stacks to specific Organizational Units

Replace <org-root-id> with your Organizational IDs

Use the following command to list your Organizational IDs

org_root_id=$(aws organizations list-roots | jq -r '.Roots[0].Arn | split("/")[-1]');aws organizations list-organizational-units-for-parent --parent-id $org_root_id | jq -r '.OrganizationalUnits[] | {id: .Id, name: .Name}'

The output of this command should look like this

{
"id": "ou-abcd-12345678",
"name": "Production OU"
}
{
"id": "ou-abcd-87654321",
"name": "Development OU"
}


Axiom Integration Setup

  1. Enter the Integration page

  2. Click 'Add' on the AWS title

3. Fill in the following:

  • Integration Name

  • Account ID

4. Click 'Continue'

In the following screen:

  • If you used the Cloudformation template:

  1. Mark 'Use our Cloudformulation Template'

  2. Click 'Integrate'

  • If you changed the IAMRoleName or the External ID:

  1. Fill:

    • Role ARN: Fill in the generated role ARN from the CloudFormation

      arn:aws:iam::<account-id>:role/AxiomIntegrationRole

    • External ID

2. Click 'Integrate' and Done!


Related Articles
Axiom Runner - Setup and Secret Configuration
Setup PostgreSQL Integration
Integrations Overview
Did this answer your question?