AWS Integration

Option 1: IAM Assume Role (Recommended)

Step 1: Create the IAM Role

Use one of these methods to create a role with read-only permissions:

Using Terraform (Recommended)

resource "aws_iam_role" "annie_assume_role" {
  name = "annie-assume-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::211125758836:root"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = "replace_with_optional_external_id"
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "read_only_access" {
  role       = aws_iam_role.annie_assume_role.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Using AWS Console

Navigate to IAM Roles and select Create Role.
Choose Another AWS account and enter the Account ID: 211125758836.
Add an External ID (Optional: Acts as a shared secret).
Attach the AWS-managed policy ReadOnlyAccess.
Complete the role creation process.
Copy the Role ARN for the next step.

Step 2: Add the IAM Role to Anyshift

Navigate to Anyshift Configuration and select Add AWS Role.
Enter a descriptive Display Name for the role (e.g., "read_only_role_for_anyshift").
Paste the Role ARN from the previous step.
Enter the External ID (Optional)
Save the configuration.

Option 2: IAM User

Step 1: Create IAM User

Choose your preferred method:

Using Terraform (Highly Recommended)

resource "aws_iam_user" "annie_user" {
  name = "annie-readonly-user"
}

resource "aws_iam_access_key" "annie_access_key" {
  user = aws_iam_user.annie_user.name
}

resource "aws_iam_user_policy_attachment" "read_only_access" {
  user       = aws_iam_user.annie_user.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Using AWS Console

Go to IAM → Users → Add User
Enable Programmatic Access
Attach “ReadOnlyAccess” policy
Save Access Key ID and Secret Access Key

Step 2: Configure in Anyshift

Enter the Access Key ID and Secret Access Key you obtained from the IAM user creation step.
Provide a descriptive AWS Account Name label (e.g., "read_only_user_for_anyshift").

Custom Permissions (Optional)

For granular control, you can limit access to specific resources:

data "aws_iam_policy_document" "annie_minimal_access" {
  statement {
    sid    = "AllowComputeResources"
    effect = "Allow"
    actions = [
      "ec2:Describe*",
      "eks:Describe*",
      "eks:List*",
      "ecs:Describe*",
      "ecs:List*",
      "lambda:List*",
      "lambda:Get*",
      "autoscaling:Describe*",
      "elasticbeanstalk:Describe*",
      "elasticbeanstalk:List*",
      "lightsail:Get*",
      "lightsail:List*",
      "batch:Describe*",
      "batch:List*"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowStorageResources"
    effect = "Allow"
    actions = [
      "s3:List*",
      "s3:Get*",
      "rds:Describe*",
      "rds:List*",
      "dynamodb:Describe*",
      "dynamodb:List*",
      "elasticache:Describe*",
      "elasticache:List*",
      "efs:Describe*",
      "fsx:Describe*",
      "fsx:List*",
      "backup:Describe*",
      "backup:List*"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowNetworkResources"
    effect = "Allow"
    actions = [
      "vpc:Describe*",
      "ec2:DescribeVpcs",
      "ec2:DescribeSubnets",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeRouteTables",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DescribeInternetGateways",
      "ec2:DescribeNatGateways",
      "ec2:DescribeVpcEndpoints",
      "elasticloadbalancing:Describe*",
      "route53:List*",
      "route53:Get*",
      "cloudfront:List*",
      "cloudfront:Get*",
      "globalaccelerator:List*",
      "globalaccelerator:Describe*"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowIdentityResources"
    effect = "Allow"
    actions = [
      "iam:List*",
      "iam:Get*"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowMonitoringResources"
    effect = "Allow"
    actions = [
      "cloudwatch:Describe*",
      "cloudwatch:List*",
      "cloudwatch:Get*",
      "logs:Describe*",
      "logs:List*",
      "health:Describe*",
      "cloudtrail:Describe*",
      "cloudtrail:List*",
      "cloudtrail:Get*"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowApplicationResources"
    effect = "Allow"
    actions = [
      "sns:List*",
      "sns:Get*",
      "sqs:List*",
      "sqs:Get*",
      "mq:List*",
      "mq:Describe*",
      "apigateway:GET",
      "apigateway:HEAD",
      "appsync:List*",
      "appsync:Get*",
      "elasticmapreduce:List*",
      "elasticmapreduce:Describe*",
      "kafka:List*",
      "kafka:Describe*",
      "kinesis:List*",
      "kinesis:Describe*"
    ]
    resources = ["*"]
  }
}

This provides read-only access to common AWS resources while maintaining security best practices.

Features Enabled

Resource Monitoring

Real-time visibility into your cloud infrastructure

Dependency Mapping

Understand your infrastructure dependencies

Try Annie Today

Create Account

Create your Anyshift account

Request Demo

See Annie’s knowledge graph in action

Get Started

Product

Privacy & Security

Overview

Setup Guide

Step 1: Create the IAM Role

Step 2: Add the IAM Role to Anyshift

Step 1: Create IAM User

Step 2: Configure in Anyshift

Features Enabled

Resource Monitoring

Dependency Mapping

Try Annie Today

Create Account

Request Demo

Get Started

Product

Privacy & Security

​Overview

​Setup Guide

​Step 1: Create the IAM Role

​Step 2: Add the IAM Role to Anyshift

​Step 1: Create IAM User

​Step 2: Configure in Anyshift

​Features Enabled

Resource Monitoring

Dependency Mapping

​Try Annie Today

Create Account

Request Demo

Overview

Setup Guide

Step 1: Create the IAM Role

Step 2: Add the IAM Role to Anyshift

Step 1: Create IAM User

Step 2: Configure in Anyshift

Features Enabled

Try Annie Today