2. Cloud Provider Integration
Configuring Read-Only Access
AWS Access
Configure AWS IAM access to enable live resource monitoring and access to S3 Terraform State files. Choose between two methods depending on your organizational needs:
- Option 1: Use an IAM Assume Role for secure cross-account access with temporary credentials.
- Option 2: Use an IAM user with programmatic credentials. Repeat this process for each AWS account you wish to monitor.
We ensure that both methods follow a least-privilege, read-only permission model.
Quick Setup
Access the settings by clicking on the top right burger menu and select “Configuration”:
After completing Step 1 “Install Github App”, you should be redirect to :
Step 1: Create the IAM Role
Use one of the following methods to create a new role with read-only permissions:
- Using Terraform (Highly Recommended)
resource "aws_iam_role" "anyshift_assume_role" {
name = "anyshift-assume-role"
assume_role_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::211125758836:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "replace_with_optional_external_id"
}
}
}
]
}
}
resource "aws_iam_role_policy_attachment" "read_only_access" {
role = aws_iam_role.anyshift_assume_role.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using the AWS Console
- Navigate to IAM Roles and select Create Role.
- Choose Another AWS account and enter the Account ID:
211125758836
. - Add an External ID (Optional: Acts as a shared secret).
- Attach the AWS-managed policy ReadOnlyAccess.
- Complete the role creation process.
- Copy the Role ARN for the next step.
Step 2: Add the IAM Role to Anyshift
- Navigate to Anyshift Configuration and select Add AWS Role.
- Enter a descriptive Display Name for the role (e.g.,
"read_only_role_for_anyshift"
). - Paste the Role ARN from the previous step.
- Enter the External ID (Optional)
- Save the configuration.
Step 1: Create an IAM User with Limited Access
Use one of the following methods to securely create an IAM user with read-only access to your AWS resources.
After the user is created, remember to store the Access Key ID and Secret Access Key for the next step.
- Using Terraform (Highly Recommended)
# Create an IAM User
resource "aws_iam_user" "anyshift_user" {
name = "replace_with_your_user_name"
}
# Generate Access Keys for the User
resource "aws_iam_access_key" "anyshift_access_key" {
user = aws_iam_user.anyshift_user.name
}
# Attach the AWS-Managed ReadOnlyAccess Policy
resource "aws_iam_user_policy_attachment" "read_only_access" {
user = aws_iam_user.anyshift_user.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using the AWS Console
- Sign in to the AWS Management Console and open the IAM service.
- Choose Users → Add User.
- Set Access type to Programmatic Access (for Access Key & Secret Access Key).
- When assigning permissions, attach the ReadOnlyAccess AWS-managed policy.
- Complete the user creation and note down the Access Key ID and Secret Access Key.
Step 2: Add IAM User Credentials to Anyshift
- Enter the Access Key ID and Secret Access Key you obtained from the IAM user creation step.
- Provide a descriptive AWS Account Name label (e.g.,
"read_only_user_for_anyshift"
).
For more control over which resources the IAM User or Role can access, you can implement a more granular IAM policy.
- When operating in a “deteriorated mode” (without live cloud mapping), Anyshift only needs read access to the S3 buckets that store your Terraform state files.
- This access allows Anyshift to create a digital twin (an internal copy) of your infrastructure.
- Additionally, this policy requires list access to IAM Roles, Users, Groups, and Policies to support the Shadow IT Discovery feature.
- To define these more restricted policies, follow the steps below:
- Define a Policy for Terraform S3 Buckets
- Option 1: Terraform (Highly Recommended)
data "aws_iam_policy_document" "tfstates_buckets_read" {
statement {
sid = "AllowListingOfSpecifiedBuckets"
effect = "Allow"
actions = [
"s3:ListBucket",
"s3:GetBucketLocation"
]
resources = [
"arn:aws:s3:::mycorp-tfstates",
"arn:aws:s3:::mycorp-staging-tfstates-bucket"
]
}
statement {
sid = "AllowReadOfObjectsInSpecifiedBuckets"
effect = "Allow"
actions = ["s3:GetObject"]
resources = [
"arn:aws:s3:::mycorp-tfstates/*",
"arn:aws:s3:::mycorp-staging-tfstates-bucket/*"
]
}
statement {
sid = "AllowIAMListActions"
effect = "Allow"
actions = [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetGroup"
]
resources = ["*"]
}
}
resource "aws_iam_policy" "tfstates_buckets_read_policy" {
name = "tfstates-buckets-read-policy"
description = "Grants read-only access to specific S3 buckets and IAM list actions"
policy = data.aws_iam_policy_document.tfstates_buckets_read.json
}
- Option 2: Use JSON Policy
Download the pre-configured policy file from our dashboard and apply it directly in your AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
},
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetGroup"
],
"Resource": "*"
}
]
}
- Attach the Policy to the AWS User or Role
Attach the policy to the IAM user or role created earlier.