# Amazon Web Services (AWS) Integration Sprinto’s AWS integration enables continuous monitoring of your cloud infrastructure to help you meet security and compliance requirements with minimal manual effort. By connecting your AWS environment, Sprinto automatically evaluates configurations, access controls, and resource health across your accounts. Sprinto uses **read-only access** to collect evidence, monitor compliance status, and alert you when action is required—without making any changes to your AWS resources. You can integrate AWS in two ways: * At the **organisation level**, to monitor all accounts under AWS Organizations * At the **individual account level**, to monitor specific AWS accounts independently *** ### Prerequisites Ensure the following prerequisites are met before setting up the AWS integration: * You are logged in to the **Sprinto Admin portal**. * You have **AdministratorAccess** privileges in the AWS root account, organisation management account, or the individual AWS account you want to connect. * You have permissions to create **IAM roles** or deploy **CloudFormation stacks** in AWS. {% hint style="info" %} #### Note Scripts, AWS account IDs, and external IDs shown during setup are **dynamically generated**. Always copy these values directly from the **Sprinto integration panel** to avoid configuration errors. {% endhint %} *** ### **Available Compliance Checks** Sprinto supports over 70 automated AWS checks. Below are some commonly used ones:
Compliance CheckResolution Guide
AWS access should be removed for offboarded usersOffboarding Guide
MFA should be enabled for AWS usersMFA Setup
AWS RDS freespace should be monitoredRDS Freespace
AWS RDS CPU utilisation should be monitoredRDS CPU
AWS access keys should not be older than 90 daysKey Rotation
[View Full List](https://docs.sprinto.com/monitors/cloud-and-infrastructure-monitoring/aws) {% hint style="info" %} #### Note Understand the complete list of permissions needed for AWS databases [here](https://docs.sprinto.com/integrations/permissions-and-resource-usage-in-sprinto-integrations#amazon-web-services-aws). {% endhint %} You can integrate AWS with Sprinto using either of the following methods: * **Integrate an AWS Organisation Unit (OU):** This option allows you to connect an AWS OU along with its nested OUs and accounts. During configuration, you can select the specific accounts to monitor for compliance. * **Integrate individual AWS accounts:** This option lets you connect standalone AWS accounts for compliance tracking. {% hint style="info" %} #### Note * You can connect multiple AWS accounts to your Sprinto dashboard. * If you’ve already integrated individual accounts from an AWS OU and wish to switch to OU-level integration, you must first disable the existing account-level integrations. {% endhint %} *** ### How it Works When you connect AWS to Sprinto: * Sprinto assumes an IAM role in your AWS account to **read configuration and metadata** * Resources are automatically discovered across selected regions * Compliance checks are evaluated continuously * Issues are surfaced in Sprinto with clear remediation guidance Sprinto does **not** create, modify, or delete any AWS resources. *** ### Integration Methods You can integrate AWS using either: * A **CloudFormation template** (recommended) * A **manually created IAM role** Each method is available for: * **AWS organisation-level integration** * **Individual AWS account integration** *** ### AWS Organisation-level Integration Use this approach if you manage multiple AWS accounts under **AWS Organizations** and want to monitor them centrally. #### Before you Begin Ensure the AWS user, role, or group performing the setup has the **AdministratorAccess** policy attached. *** #### Method 1: Use CloudFormation template (recommended) This method automates IAM role creation using a CloudFormation template. #### **Start the integration in Sprinto** 1. Log in to the Sprinto Dashboard. 2. Go to **Settings → Integrations.** 3. Search for **AWS** and click **Connect.**
4. Select **AWS organization.** 5. Enter your **Root OU ID.** 6. Choose **Use CloudFormation template**, then click **Continue.**
#### Step 1: Create the access role This step sets up a read-only IAM role (`sprinto-auditor-role`) across all accounts in your AWS Organisation. **A. Set up access permissions for the management account** 1. Log in to your **AWS management (root) account**. 2. Open **AWS CloudShell**. 3. From the Sprinto integration panel, **copy the provided bash script**.
4. Paste and run the script in CloudShell. What this does: * Creates an IAM role named **`sprinto-auditor-role`**. * Grants permissions to audit AWS resources and read CloudWatch logs. * Uses a **CloudFormation template** to automate role creation. * Attaches required policies such as: * `SecurityAudit` * `CloudWatch (Read Only), PutMetricAlarm (Write) and Lightsail (Read Only)` (if enabled)
{% hint style="info" %} #### Note Scripts, Account IDs, and External IDs are dynamic. Always copy them directly from the Sprinto integration panel. {% endhint %} *** **B. Create a StackSet** After permissions are set up: 1. In the **same management account**, copy the **StackSet creation command** from Sprinto. 2. Run the command in **AWS CloudShell**.
What this does: * Creates a **CloudFormation StackSet**. * Defines the IAM role and permissions that will be deployed across all child accounts in the organisation.
*** **C. Deploy the StackSet to all accounts** Once the StackSet is created: 1. Copy the **StackSet deployment command** from Sprinto. 2. Run it in **AWS CloudShell**.
What this does: * Deploys the StackSet to **all accounts under the specified Root OU**. * Automatically creates the `sprinto-auditor-role` in each child account.
*** **D. Get the Role ARN** After deployment completes: 1. Run the **final command** provided in Sprinto to retrieve the Role ARN from the management account. 2. Copy the **Role ARN** and keep it handy.
{% hint style="info" %} #### Note If the output shows `CREATE_IN_PROGRESS`, wait a few seconds and run the command again until the Role ARN is returned. {% endhint %}
*** #### Step 2: Complete the integration in Sprinto 1. Return to the **Sprinto AWS integration screen**. 2. Paste the **Role ARN** you copied earlier. 3. Select the **AWS regions** where your production workloads run. 4. Click **Connect**.
Once completed, Sprinto will start monitoring all supported AWS resources across your organisation using the configured read-only access. *** #### Method 2: Create IAM role manually Use this method if you prefer to configure IAM permissions yourself. #### **Start the integration in Sprinto** 1. Go to **Settings → Integrations.** 2. Search for **AWS** and click **Connect.** 3. Select **AWS organization.** 4. Choose **Create IAM role manually.** 5. Click **Continue.**
**A. Set up roles on all accounts** 1. Log in to the AWS Management Console. 2. Navigate to **IAM**. 3. Go to **Roles** and select **Create role**. 4. On the role creation page, choose **Another AWS account** as the trusted entity.
This sets up the base role that Sprinto will later assume to audit your AWS resources. *** **B. Set up permissions on all accounts** 1. In the **Specify accounts that can use this role** section, enter the following details: * **Account ID**: Copy this from the Sprinto integration drawer. * **External ID**: Copy this exactly as shown in Sprinto. 2. Ensure **Require external ID** is enabled (recommended best practice for third-party access). 3. Make sure **Require MFA** is **not selected**. 4. Select **Next**. 5. On the **Add permissions** screen: * Search for and attach the **SecurityAudit** policy. 6. Click **Next** to proceed.
*** **C. Add additional permissions (optional)** Depending on your setup, you can attach additional policies: * To allow Sprinto to create or manage CloudWatch alarms: * Attach CloudWatch (Read Only), PutMetricAlarm (Write) and Lightsail (Read Only) * To fetch AWS SSO users: * Attach **AWSSSODirectoryReadOnly** * Attach **AWSSSOReadOnly** * You can optionally add tags in the **Add tags** section. Select **Next** after adding any optional permissions.
*** **D. Complete role setup on all accounts** 1. In the **Role details** section: * Enter the role name as **`sprinto-auditor-role`** 2. Review the configuration and select **Create role**. 3. Once created, search for the role **`sprinto-auditor-role`** in IAM.
*** **E. Get the Role ARN of the root account** 1. In the **management (root) account**, open the newly created role: * **`sprinto-auditor-role`** 2. Copy the **Role ARN**. 3. Save this ARN, you’ll need it in the next step.
*** #### Step 2: Complete the integration in Sprinto 1. Return to the **Sprinto** dashboard. 2. In the AWS integration drawer: * Paste the copied **Role ARN**. 3. Select the **AWS regions** where your production workloads run. * You can modify regions later if needed. 4. Select **Connect**.
Once completed, Sprinto begins monitoring your AWS environment using the configured IAM role. *** ### Individual AWS Account Integration Use this approach if you want to monitor one or more AWS accounts independently. {% hint style="info" %} #### Note If you later switch to organisation-level integration, you must first disable all individually connected accounts. {% endhint %} *** #### Method 1: Use CloudFormation template **Step 1: Start the integration in Sprinto** 1. Go to **Settings → Integrations.** 2. Search for **AWS** and click **Connect.** 3. Select **AWS account.**
4. Confirm and click **Continue.** 5. Review required permissions and click **Next.** 6. Choose **Use CloudFormation template.**
**Step 2: Create the access role** 1. Copy the provided bash command.
2. Run it in **AWS CloudShell.** 3. The role is created automatically.
**Step 3: Get role ARN and complete integration** 1. Copy the Role ARN. 2. Paste it in Sprinto. 3. Select regions. 4. Click **Connect.**
*** #### Method 2: Create IAM role manually **Step 1: Start the integration in Sprinto** 1. Go to **Settings → Integrations.** 2. Search for **AWS** and click **Connect.** 3. Select **AWS account.** 4. Choose **Create IAM role manually.** 5. Click **Continue.**
**Step 2: Set up the IAM role** 1. Create a new IAM role with a **custom trust policy.**
2. Paste the JSON provided by Sprinto. 3. Attach the **SecurityAudit** policy.
**Optional permissions** * CloudWatch alarms: `CloudWatch (Read Only), PutMetricAlarm (Write) and Lightsail (Read Only)` * SSO users: `AWSSSOReadOnly`, `AWSSSODirectoryReadOnly` * Tags can be added if needed.
**Step 3: Complete role setup** * Name the role `sprinto-auditor-role` . * Create the role and copy its ARN.
**Step 4: Complete the integration** 1. Paste the Role ARN in Sprinto. 2. Select regions. 3. Click **Connect.**
*** ### Required permissions and data access #### Permissions required * **SecurityAudit** (mandatory) * Administrator access is required only during setup. #### Data accessed by Sprinto Sprinto reads configuration data for services such as: * IAM, EC2, S3, RDS, EKS * Load balancers, VPCs, Lambda, API Gateway * CloudWatch (if enabled) Sprinto does **not** modify or delete resources. *** ### Troubleshooting #### Integration fails during setup * Ensure **AdministratorAccess** is attached to the AWS user, role, or group. * Verify that the correct **external ID** is used. #### CloudFormation stack stuck in progress * Wait a few seconds before retrying. * Ensure no conflicting IAM roles already exist. #### Role ARN not accepted * Confirm the ARN belongs to `sprinto-auditor-role` . * Ensure the role exists in the correct account. #### Regions not showing data * Ensure regions were selected during setup. * You can modify regions later from the integration settings. #### Switching from individual accounts to organisation integration * Disable all individually connected AWS accounts first. * Then proceed with organisation-level setup. *** ### **Support** If you encounter any issues or need assistance with your integration, contact the Sprinto support team at .