search
Sprinto DashboardAPI Reference

Amazon Web Services (AWS) Integration

Connect AWS with Sprinto to automatically monitor cloud infrastructure, enforce security best practices, and stay continuously compliant with 70+ automated checks.

Sprinto’s AWS integration enables continuous monitoring of your cloud infrastructure to help you meet security and compliance requirements with minimal manual effort.

By connecting your AWS environment, Sprinto automatically evaluates configurations, access controls, and resource health across your accounts. Sprinto uses read-only access to collect evidence, monitor compliance status, and alert you when action is required—without making any changes to your AWS resources.

You can integrate AWS in two ways:

  • At the organisation level, to monitor all accounts under AWS Organizations

  • At the individual account level, to monitor specific AWS accounts independently

hashtag
Prerequisites

Ensure the following prerequisites are met before setting up the AWS integration:

  • You are logged in to the Sprinto Admin portal.

  • You have AdministratorAccess privileges in the AWS root account, organisation management account, or the individual AWS account you want to connect.

  • You have permissions to create IAM roles or deploy CloudFormation stacks in AWS.

circle-info

hashtag
Note

Scripts, AWS account IDs, and external IDs shown during setup are dynamically generated. Always copy these values directly from the Sprinto integration panel to avoid configuration errors.

hashtag
Available Compliance Checks

Sprinto supports over 70 automated AWS checks. Below are some commonly used ones:

Compliance Check
Resolution Guide

AWS access should be removed for offboarded users

Offboarding Guide

MFA should be enabled for AWS users

MFA Setup

AWS RDS freespace should be monitored

RDS Freespace

AWS RDS CPU utilisation should be monitored

RDS CPUarrow-up-right

AWS access keys should not be older than 90 days

Key Rotationarrow-up-right

View Full List

circle-info

hashtag
Note

Understand the complete list of permissions needed for AWS databases here.

You can integrate AWS with Sprinto using either of the following methods:

  • Integrate an AWS Organisation Unit (OU): This option allows you to connect an AWS OU along with its nested OUs and accounts. During configuration, you can select the specific accounts to monitor for compliance.

  • Integrate individual AWS accounts: This option lets you connect standalone AWS accounts for compliance tracking.

circle-info

hashtag
Note

  • You can connect multiple AWS accounts to your Sprinto dashboard.

  • If you’ve already integrated individual accounts from an AWS OU and wish to switch to OU-level integration, you must first disable the existing account-level integrations.

hashtag
How it Works

When you connect AWS to Sprinto:

  • Sprinto assumes an IAM role in your AWS account to read configuration and metadata

  • Resources are automatically discovered across selected regions

  • Compliance checks are evaluated continuously

  • Issues are surfaced in Sprinto with clear remediation guidance

Sprinto does not create, modify, or delete any AWS resources.

hashtag
Integration Methods

You can integrate AWS using either:

  • A CloudFormation template (recommended)

  • A manually created IAM role

Each method is available for:

  • AWS organisation-level integration

  • Individual AWS account integration

hashtag
AWS Organisation-level Integration

Use this approach if you manage multiple AWS accounts under AWS Organizations and want to monitor them centrally.

hashtag
Before you Begin

Ensure the AWS user, role, or group performing the setup has the AdministratorAccess policy attached.

hashtag
Method 1: Use CloudFormation template (recommended)

This method automates IAM role creation using a CloudFormation template.

hashtag
Start the integration in Sprinto

  1. Log in to the Sprinto Dashboard.

  2. Go to Settings → Integrations.

  3. Search for AWS and click Connect.

  1. Select AWS organization.

  2. Enter your Root OU ID.

  3. Choose Use CloudFormation template, then click Continue.

hashtag
Step 1: Create the access role

This step sets up a read-only IAM role (sprinto-auditor-role) across all accounts in your AWS Organisation.

A. Set up access permissions for the management account

  1. Log in to your AWS management (root) account.

  2. Open AWS CloudShell.

  3. From the Sprinto integration panel, copy the provided bash script.

  1. Paste and run the script in CloudShell.

What this does:

  • Creates an IAM role named sprinto-auditor-role.

  • Grants permissions to audit AWS resources and read CloudWatch logs.

  • Uses a CloudFormation template to automate role creation.

  • Attaches required policies such as:

    • SecurityAudit

    • CloudWatchFullAccess (if enabled)

circle-info

hashtag
Note

Scripts, Account IDs, and External IDs are dynamic. Always copy them directly from the Sprinto integration panel.

B. Create a StackSet

After permissions are set up:

  1. In the same management account, copy the StackSet creation command from Sprinto.

  2. Run the command in AWS CloudShell.

What this does:

  • Creates a CloudFormation StackSet.

  • Defines the IAM role and permissions that will be deployed across all child accounts in the organisation.

C. Deploy the StackSet to all accounts

Once the StackSet is created:

  1. Copy the StackSet deployment command from Sprinto.

  2. Run it in AWS CloudShell.

What this does:

  • Deploys the StackSet to all accounts under the specified Root OU.

  • Automatically creates the sprinto-auditor-role in each child account.

D. Get the Role ARN

After deployment completes:

  1. Run the final command provided in Sprinto to retrieve the Role ARN from the management account.

  2. Copy the Role ARN and keep it handy.

circle-info

hashtag
Note

If the output shows CREATE_IN_PROGRESS, wait a few seconds and run the command again until the Role ARN is returned.

hashtag
Step 2: Complete the integration in Sprinto

  1. Return to the Sprinto AWS integration screen.

  2. Paste the Role ARN you copied earlier.

  3. Select the AWS regions where your production workloads run.

  4. Click Connect.

Once completed, Sprinto will start monitoring all supported AWS resources across your organisation using the configured read-only access.

hashtag
Method 2: Create IAM role manually

Use this method if you prefer to configure IAM permissions yourself.

hashtag
Start the integration in Sprinto

  1. Go to Settings → Integrations.

  2. Search for AWS and click Connect.

  3. Select AWS organization.

  4. Choose Create IAM role manually.

  5. Click Continue.

A. Set up roles on all accounts

  1. Log in to the AWS Management Console.

  2. Navigate to IAM.

  3. Go to Roles and select Create role.

  4. On the role creation page, choose Another AWS account as the trusted entity.

This sets up the base role that Sprinto will later assume to audit your AWS resources.

B. Set up permissions on all accounts

  1. In the Specify accounts that can use this role section, enter the following details:

    • Account ID: Copy this from the Sprinto integration drawer.

    • External ID: Copy this exactly as shown in Sprinto.

  2. Ensure Require external ID is enabled (recommended best practice for third-party access).

  3. Make sure Require MFA is not selected.

  4. Select Next.

  5. On the Add permissions screen:

    • Search for and attach the SecurityAudit policy.

  6. Click Next to proceed.

C. Add additional permissions (optional)

Depending on your setup, you can attach additional policies:

  • To allow Sprinto to create or manage CloudWatch alarms:

    • Attach CloudWatchFullAccess

  • To fetch AWS SSO users:

    • Attach AWSSSODirectoryReadOnly

    • Attach AWSSSOReadOnly

  • You can optionally add tags in the Add tags section.

Select Next after adding any optional permissions.

D. Complete role setup on all accounts

  1. In the Role details section:

    • Enter the role name as sprinto-auditor-role

  2. Review the configuration and select Create role.

  3. Once created, search for the role sprinto-auditor-role in IAM.

E. Get the Role ARN of the root account

  1. In the management (root) account, open the newly created role:

    • sprinto-auditor-role

  2. Copy the Role ARN.

  3. Save this ARN, you’ll need it in the next step.

hashtag
Step 2: Complete the integration in Sprinto

  1. Return to the Sprinto dashboard.

  2. In the AWS integration drawer:

    • Paste the copied Role ARN.

  3. Select the AWS regions where your production workloads run.

    • You can modify regions later if needed.

  4. Select Connect.

Once completed, Sprinto begins monitoring your AWS environment using the configured IAM role.

hashtag
Individual AWS Account Integration

Use this approach if you want to monitor one or more AWS accounts independently.

circle-info

hashtag
Note

If you later switch to organisation-level integration, you must first disable all individually connected accounts.

hashtag
Method 1: Use CloudFormation template

Step 1: Start the integration in Sprinto

  1. Go to Settings → Integrations.

  2. Search for AWS and click Connect.

  3. Select AWS account.

  1. Confirm and click Continue.

  2. Review required permissions and click Next.

  3. Choose Use CloudFormation template.

Step 2: Create the access role

  1. Copy the provided bash command.

  1. Run it in AWS CloudShell.

  2. The role is created automatically.

Step 3: Get role ARN and complete integration

  1. Copy the Role ARN.

  2. Paste it in Sprinto.

  3. Select regions.

  4. Click Connect.

hashtag
Method 2: Create IAM role manually

Step 1: Start the integration in Sprinto

  1. Go to Settings → Integrations.

  2. Search for AWS and click Connect.

  3. Select AWS account.

  4. Choose Create IAM role manually.

  5. Click Continue.

Step 2: Set up the IAM role

  1. Create a new IAM role with a custom trust policy.

  1. Paste the JSON provided by Sprinto.

  2. Attach the SecurityAudit policy.

Optional permissions

  • CloudWatch alarms: CloudWatchFullAccess

  • SSO users: AWSSSOReadOnly, AWSSSODirectoryReadOnly

  • Tags can be added if needed.

Step 3: Complete role setup

  • Name the role sprinto-auditor-role .

  • Create the role and copy its ARN.

Step 4: Complete the integration

  1. Paste the Role ARN in Sprinto.

  2. Select regions.

  3. Click Connect.

hashtag
Required permissions and data access

hashtag
Permissions required

  • SecurityAudit (mandatory)

  • Administrator access is required only during setup.

hashtag
Data accessed by Sprinto

Sprinto reads configuration data for services such as:

  • IAM, EC2, S3, RDS, EKS

  • Load balancers, VPCs, Lambda, API Gateway

  • CloudWatch (if enabled)

Sprinto does not modify or delete resources.

hashtag
Troubleshooting

hashtag
Integration fails during setup

  • Ensure AdministratorAccess is attached to the AWS user, role, or group.

  • Verify that the correct external ID is used.

hashtag
CloudFormation stack stuck in progress

  • Wait a few seconds before retrying.

  • Ensure no conflicting IAM roles already exist.

hashtag
Role ARN not accepted

  • Confirm the ARN belongs to sprinto-auditor-role .

  • Ensure the role exists in the correct account.

hashtag
Regions not showing data

  • Ensure regions were selected during setup.

  • You can modify regions later from the integration settings.

hashtag
Switching from individual accounts to organisation integration

  • Disable all individually connected AWS accounts first.

  • Then proceed with organisation-level setup.

hashtag
Support

If you encounter any issues or need assistance with your integration, contact the Sprinto support team at [email protected]envelope.

PreviousFreshteam IntegrationNextAdobe Sign Integration

Last updated