AW
AWS
Provider Setup

Connect AWS

ConfigTrace connects to AWS using an IAM user or role with read-only permissions. It monitors security group rules, IAM policies, Route 53 records, and S3 bucket configuration — with no write access and no access to your application data.

On this page
  1. Prerequisites
  2. Step 1 — Create read-only IAM policy
  3. Step 2 — Create IAM user and access key
  4. Step 3 — Connect in ConfigTrace
  5. Step 4 — Run your first sync
  6. What ConfigTrace monitors
  7. What ConfigTrace never reads

Prerequisites

  • An AWS account with IAM access (to create policies and users)
  • Permission to create IAM policies and generate access keys
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Create read-only IAM policy

In the AWS Console, go to IAM → Policies → Create policy. Switch to the JSON editor and paste the following policy:

IAM Policy JSON Read-only · No write permissions 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ConfigTraceReadOnly",
      "Effect": "Allow",
      "Action": [
        // EC2 — security groups
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeInstances",

        // IAM — policies and roles
        "iam:ListPolicies",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicyVersions",
        "iam:ListUsers",
        "iam:ListRoles",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedRolePolicies",

        // Route 53 — DNS records
        "route53:ListHostedZones",
        "route53:GetHostedZone",
        "route53:ListResourceRecordSets",

        // S3 — bucket configuration metadata
        "s3:ListAllMyBuckets",
        "s3:GetBucketPolicy",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketAcl",
        "s3:GetBucketEncryption",
        "s3:GetBucketVersioning"
      ],
      "Resource": "*"
    }
  ]
}

Name the policy something recognizable like ConfigTraceReadOnly. Click Create policy.

No write permissions required. ConfigTrace only reads configuration metadata. Do not grant any ec2:Modify*, iam:Create*, or similar write actions. ConfigTrace will never attempt to remediate or change your configuration.

Step 2 — Create IAM user and access key

  1. 1
    Create a dedicated IAM user
    Go to IAM → Users → Create user. Name it configtrace-readonly or similar. Select Programmatic access.
  2. 2
    Attach the policy
    On the permissions step, choose Attach existing policies directly and attach the ConfigTraceReadOnly policy you created.
  3. 3
    Save the access key
    On the final screen, copy the Access Key ID and Secret Access Key. You'll need both. The secret key is shown only once.
Prefer IAM roles? If your infrastructure uses IAM roles, you can attach the ConfigTraceReadOnly policy to a role and generate temporary credentials instead. The credentials you provide to ConfigTrace are encrypted and stored securely.

Step 3 — Connect in ConfigTrace

  1. 1
    Go to Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the AWS card.
  2. 2
    Enter credentials
    Paste your AWS Access Key ID, Secret Access Key, and select your primary AWS Region (e.g. us-east-1).
  3. 3
    Save
    Click Save integration. ConfigTrace will validate the credentials and confirm the connection.

Step 4 — Run your first sync

From the integration detail page, click Sync Now. The first sync creates your baseline snapshot. After it completes, ConfigTrace will sync automatically on your plan's schedule.

Open the Timeline to see the baseline created and any resources captured.

What ConfigTrace monitors

Reads (configuration metadata)
  • EC2 security group inbound and outbound rules
  • IAM policy documents and attached policies
  • Route 53 hosted zones and DNS record sets
  • S3 bucket policies and public access settings
  • S3 bucket ACLs, encryption, and versioning config
Never reads
  • S3 object contents or bucket data
  • RDS, DynamoDB, or any database records
  • CloudWatch logs or event contents
  • Secrets Manager or Parameter Store values
  • IAM user passwords or secret access key values
  • Application data of any kind

What ConfigTrace never reads

ConfigTrace is built for configuration metadata only. It uses read-only configuration APIs and never requests write permissions. It does not perform any remediation actions or modify your AWS environment in any way.

For a full breakdown across all providers, see the Data Access & Permissions reference.