Skip to main content


Visualize AWS cloud resources, map AWS users to employees, and monitor visibility, governance, and compliance against the AWS CIS Framework and security benchmarks. Additionally, monitor AWS vulnerabilities and findings and changes in AWS cloud resources through queries and alerts.


To install this integration, you will need to configure settings both within AWS and on JupiterOne. The integration instance configuration requires the customer's roleArn to assume in order to read infrastructure information through AWS APIs. The role is configured to require an externalId; this also must be maintained in the instance configuration.

Information is ingested from all AWS regions that do not require additional contractual arrangements with AWS. Please submit a JupiterOne support request if you need to monitor additional regions.


This integration enables the creation of automated workflows within JupiterOne alerts using SNS and SQS to remediate configuration gaps in AWS.

Configuration on AWS

Detailed setup instructions and a pre-built CloudFormation Stack are provided in the application and maintained in the public JupiterOne AWS CloudFormation project on Github. Follow the steps under In JupiterOne to capture the auto-generated External ID specific to the integration instance.

Once the steps provided on the GitHub are completed, you can continue to finalizing the the integration instance on JupiterOne.

Configuration in JupiterOne

To install the AWS integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select AWS. Click New Instance to begin configuring the integration.

Creating an integration instance requires the following:

  • The Account Name used to identify the AWS account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Enter the Role ARN of the IAM role to assume in order to authenticate with AWS.

Click Create once all values are provided to finalize the integration.

Set Permissions

The AWS integration requires security auditor permissions into the target AWS account, as defined by a combination of the SecurityAudit IAM policy managed by AWS, and a few additional List*, Get*, and Describe* permissions missing from the AWS managed policy. The exact policy and permission statements can be found in the public [JupiterOne AWS CloudFormation][1] project on Github.


See the AWS data model map for more information about the IAM access and trusts.

Manage Sub-Accounts

After you have configured your AWS Organization master account in JupiterOne, and have attached specific policies and are using a specific external trust ID. When adding or configuring sub-accounts, remember to note the IAM role name, policies, and external trust ID that you have used for the master account.

Use your preferred infrastructure-as-code method to systematically generate an identical J1 IAM role in each of your sub-accounts. Ensure you name the IAM Role identically, attach the same policies, and use the same external trust ID as you used with the master account configuration.

In the JupiterOne Integrations UI, select a polling interval and the Auto-configure additional integrations... option in your master account configuration.


JupiterOne automatically ingests all sub-accounts from the Organization the next time it polls your environment.

To omit specific sub-accounts when auto-configuring J1 AWS integrations from an Organizations master account, add the optional j1-integration: SKIP tag to the sub-account in your infrastructure-as-code or from the AWS Organizations web console.

Service Control Provider Issues

Errors may occur after configuring one or many AWS integrations if there is a Service Control Policy (SCP) blocking specified services or regions. Any AWS Services that JupiterOne cannot ingest are listed in logs of the Integration Jobs found in Integrations > Configurations > Settings > Jobs.

For each SCP that is blocking JupiterOne ingestion, add the following condition element to your SCP JSON:

"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": [

Ensure this ARN matches the IAM Role ARN you used to configure your JupiterOne AWS integration.


See the AWS Service control policies documentation for the latest information.

S3 Bucket public Property

The aws_s3_bucket.public property is calculated based on the Access field shown in the AWS S3 console. Each different Access value corresponds to setting the aws_s3_bucket.public property to either true, false, or undefined as described in the table below:

Objects can be publicundefined
Bucket and objects not publicfalse

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.