2. Cloud Provider Integration
Configuring Read-Only Access
AWS Access
Set up AWS IAM access for live resource monitoring and S3 Terraform States access. Use a role with least-privilege, read-only permissions.
Repeat this step for each AWS account you want to monitor.
Quick Setup
Access the settings by clicking on the top right burger menu and select “Configuration”:
Use one of the following methods to securely create an IAM user with read-only access to your AWS resources.
After the user is created, remember to store the Access Key ID and Secret Access Key for the next step.
Repeat this step for each AWS account you want to monitor.
- Option 1: Terraform (Highly Recommended)
Use Terraform to create the IAM user and maintain configurations as code:
# Create an IAM User
resource "aws_iam_user" "anyshift_user" {
name = "replace_with_your_user_name"
}
# Generate Access Keys for the User
resource "aws_iam_access_key" "anyshift_access_key" {
user = aws_iam_user.anyshift_user.name
}
# Attach the AWS-Managed ReadOnlyAccess Policy
resource "aws_iam_user_policy_attachment" "read_only_access" {
user = aws_iam_user.anyshift_user.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Option 2: Using the AWS Console
- Sign in to the AWS Management Console and open the IAM service.
- Choose Users → Add User.
- Set Access type to Programmatic Access (for Access Key & Secret Access Key).
- When assigning permissions, attach the ReadOnlyAccess AWS-managed policy.
- Complete the user creation and note down the Access Key ID and Secret Access Key.
- Enter the Access Key ID and Secret Access Key you obtained from the IAM user creation step.
- Provide a descriptive AWS Account Name label (e.g.,
"read_only_user_for_anyshift").
For more control over which resources the IAM User can access, you can implement a more granular IAM policy.
- When operating in a “deteriorated mode” (without live cloud mapping), Anyshift only needs read access to the S3 buckets that store your Terraform state files.
- This access allows Anyshift to create a digital twin (an internal copy) of your infrastructure.
- To define these more restricted policies, follow the steps below:
- Define a Policy for Terraform S3 Buckets
Use JSON or Terraform to define bucket-specific, read-only access.
- Option 1: Terraform (Highly Recommended)
data "aws_iam_policy_document" "tfstates_buckets_read" {
statement {
sid = "AllowListingOfSpecifiedBuckets"
effect = "Allow"
actions = [
"s3:ListBucket",
"s3:GetBucketLocation"
]
resources = [
"arn:aws:s3:::mycorp-tfstates",
"arn:aws:s3:::mycorp-staging-tfstates-bucket"
]
}
statement {
sid = "AllowReadOfObjectsInSpecifiedBuckets"
effect = "Allow"
actions = ["s3:GetObject"]
resources = [
"arn:aws:s3:::mycorp-tfstates/*",
"arn:aws:s3:::mycorp-staging-tfstates-bucket/*"
]
}
statement {
sid = "AllowIAMListActions"
effect = "Allow"
actions = [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetGroup"
]
resources = ["*"]
}
}
resource "aws_iam_policy" "tfstates_buckets_read_policy" {
name = "tfstates-buckets-read-policy"
description = "Grants read-only access to specific S3 buckets and IAM list actions"
policy = data.aws_iam_policy_document.tfstates_buckets_read.json
}
- Option 2: Use JSON Policy
Download the pre-configured policy file from our dashboard and apply it directly in your AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
},
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetGroup"
],
"Resource": "*"
}
]
}
- Attach the Policy to the AWS User
Attach the policy to the IAM user created earlier.
Additional Information
- Security: The role follows a least-privilege model, ensuring minimal access while enabling live monitoring.
- Support: For any questions or assistance, reach out to contact@anyshift.io.