Get Started
- 5-Min Quick Start
- Anyshift Overview
- Integrations
- Overview
- Cloud Providers
- Git Providers
- Monitoring
- Containers
- Terraform Backends
Product
- Root Cause Analysis
- Annie Knowledge
Integration
- Slack Integration
- MCP Server
Privacy & Security
AWS Integration
Connect Annie to your AWS account for real-time infrastructure mapping and monitoring.
Overview
Connect your AWS account to Annie to enable real-time infrastructure mapping, monitoring, and intelligent insights. Annie will ingest your AWS resources and relationships to build a comprehensive knowledge graph of your cloud environment.
Setup Guide
- Go to the Anyshift integrations page
- Navigate to the AWS section
- Follow the setup instructions to connect your AWS account
Step 1: Create the IAM Role
Use one of these methods to create a role with read-only permissions:
- Using Terraform (Recommended)
resource "aws_iam_role" "annie_assume_role" {
name = "annie-assume-role"
assume_role_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::211125758836:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "replace_with_optional_external_id"
}
}
}
]
}
}
resource "aws_iam_role_policy_attachment" "read_only_access" {
role = aws_iam_role.annie_assume_role.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using AWS Console
- Navigate to IAM Roles and select Create Role.
- Choose Another AWS account and enter the Account ID:
211125758836
. - Add an External ID (Optional: Acts as a shared secret).
- Attach the AWS-managed policy ReadOnlyAccess.
- Complete the role creation process.
- Copy the Role ARN for the next step.
Step 2: Add the IAM Role to Anyshift
- Navigate to Anyshift Configuration and select Add AWS Role.
- Enter a descriptive Display Name for the role (e.g.,
"read_only_role_for_anyshift"
). - Paste the Role ARN from the previous step.
- Enter the External ID (Optional)
- Save the configuration.
Step 1: Create IAM User
Choose your preferred method:
- Using Terraform (Highly Recommended)
resource "aws_iam_user" "annie_user" {
name = "annie-readonly-user"
}
resource "aws_iam_access_key" "annie_access_key" {
user = aws_iam_user.annie_user.name
}
resource "aws_iam_user_policy_attachment" "read_only_access" {
user = aws_iam_user.annie_user.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using AWS Console
- Go to IAM → Users → Add User
- Enable Programmatic Access
- Attach “ReadOnlyAccess” policy
- Save Access Key ID and Secret Access Key
Step 2: Configure in Anyshift
- Enter the Access Key ID and Secret Access Key you obtained from the IAM user creation step.
- Provide a descriptive AWS Account Name label (e.g.,
"read_only_user_for_anyshift"
).
For granular control, you can limit access to specific resources:
data "aws_iam_policy_document" "annie_minimal_access" {
statement {
sid = "AllowComputeResources"
effect = "Allow"
actions = [
"ec2:Describe*",
"eks:Describe*",
"eks:List*",
"ecs:Describe*",
"ecs:List*",
"lambda:List*",
"lambda:Get*",
"autoscaling:Describe*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"lightsail:Get*",
"lightsail:List*",
"batch:Describe*",
"batch:List*"
]
resources = ["*"]
}
statement {
sid = "AllowStorageResources"
effect = "Allow"
actions = [
"s3:List*",
"s3:Get*",
"rds:Describe*",
"rds:List*",
"dynamodb:Describe*",
"dynamodb:List*",
"elasticache:Describe*",
"elasticache:List*",
"efs:Describe*",
"fsx:Describe*",
"fsx:List*",
"backup:Describe*",
"backup:List*"
]
resources = ["*"]
}
statement {
sid = "AllowNetworkResources"
effect = "Allow"
actions = [
"vpc:Describe*",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"elasticloadbalancing:Describe*",
"route53:List*",
"route53:Get*",
"cloudfront:List*",
"cloudfront:Get*",
"globalaccelerator:List*",
"globalaccelerator:Describe*"
]
resources = ["*"]
}
statement {
sid = "AllowIdentityResources"
effect = "Allow"
actions = [
"iam:List*",
"iam:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowMonitoringResources"
effect = "Allow"
actions = [
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"logs:Describe*",
"logs:List*",
"health:Describe*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowApplicationResources"
effect = "Allow"
actions = [
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*",
"mq:List*",
"mq:Describe*",
"apigateway:GET",
"apigateway:HEAD",
"appsync:List*",
"appsync:Get*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"kafka:List*",
"kafka:Describe*",
"kinesis:List*",
"kinesis:Describe*"
]
resources = ["*"]
}
}
This provides read-only access to common AWS resources while maintaining security best practices.
Features Enabled
Resource Monitoring
Real-time visibility into your cloud infrastructure
Dependency Mapping
Understand your infrastructure dependencies
Try Annie Today
Start building your infrastructure knowledge graph and unlock intelligent infrastructure management.