Amazon Web Services (AWS) Integration
This guide explains how to integrate your Amazon Web Services (AWS) Organisation Unit (OU) or individual AWS account with Sprinto for compliance monitoring. The integration enables Sprinto to perform automated checks across your infrastructure and supports enforcement of security best practices.
Benefits of Integration
Connecting AWS with Sprinto enables:
Monitoring of infrastructure security configurations
Detection of policy violations
Automated closure of vulnerabilities and incidents
Access control tracking across AWS accounts
Before You Begin
Ensure the following prerequisites are met:
You are logged in to the Sprinto Admin Portal.
You have AdministratorAccess privileges in your AWS root or target account.
You have permissions to create IAM roles or CloudFormation stacks.
Available Compliance Checks
Sprinto supports over 70 automated AWS checks. Below are some commonly used ones:
AWS access should be removed for offboarded users
MFA should be enabled for AWS users
AWS RDS freespace should be monitored
AWS RDS CPU utilisation should be monitored
AWS access keys should not be older than 90 days
You can integrate AWS with Sprinto using either of the following methods:
Integrate an AWS Organisation Unit (OU): This option allows you to connect an AWS OU along with its nested OUs and accounts. During configuration, you can select the specific accounts to monitor for compliance.
Integrate individual AWS accounts: This option lets you connect standalone AWS accounts for compliance tracking.
Integrate AWS OU
Option 1: CloudFormation Template (Recommended)
In the Sprinto Admin Portal, go to Settings > Integrations.
Under Available Integrations, click Connect next to AWS.
Select AWS Organization.
Follow on-screen instructions and click Next.
Log in to the management (root) account of your AWS Organisation, select the Use CloudFormation Template check box and click Continue.
Open AWS CloudShell and copy the CloudFormation script from Sprinto.
Execute the script in CloudShell. This will:
Create an IAM role called
sprinto-auditor-roleAssign permissions required for auditing
To get the Role ARN from the root account, run the CloudFormation describe command provided in the integration panel.
Run the script for each child account you want to monitor. You do not need the ARN—only the script needs to be executed.
Enter the following in the Sprinto portal:
Role ARN: Copied from AWS root account output
Region: Your AWS deployment region
Root Account ID: The alphanumeric Root Account ID from IAM Identity Center (not the numeric account ID)
11. Click Connect.
Option 2: IAM Role
In the Sprinto Admin Portal, go to Settings > Integrations.
Under Available Integrations, click Connect next to AWS.
Select AWS Organization.
Follow on-screen instructions and click Next.
Log in to the management (root) account of your AWS Organisation, select the Create IAM role manually check box and click Continue.
Go to IAM > Roles > Create Role.
Choose Another AWS account.
Copy the Account ID and External ID from Sprinto Integration panel and paste them.
Uncheck Require MFA and click Next.
Add the following permission policies:
SecurityAudit(Optional)
AWSSSODirectoryReadOnly,AWSSSOReadOnly– for SSO users(Optional)
CloudWatchFullAccess– to allow CloudWatch alarms from Sprinto
Name the role
sprinto-auditor-role.Create the role and copy the Role ARN.
Repeat steps 6 to 15 for each child account you want to connect. Do not copy the ARN.
Return to Sprinto and input:
Role ARN: Copied from AWS root account output
Region: Your AWS deployment region
Root Account ID: The alphanumeric Root Account ID from IAM Identity Center (not the numeric account ID)
Click Connect.
Integrate Individual AWS Account
In the Sprinto Admin Portal, select Integrate Individual AWS Account.
Choose applicable compliance use cases.
Support
If you encounter any issues or need assistance with your integration, contact the Sprinto support team at [email protected].
Last updated