Skip to main content

AWS Integration

Connect your AWS accounts to ConcertoGRC to automatically import security findings, detect IAM misconfigurations, and maintain an infrastructure inventory. Multiple AWS accounts can be connected simultaneously.

What You Get

Vulnerability Management

  • GuardDuty findings -- Security findings are normalized and imported into Vulnerability Management with severity mapping, deduplication, and source tracking
  • IAM misconfigurations -- Detects missing MFA, stale access keys, overly permissive policies, and inactive users

Evidence Library

  • MFA status report -- Automatically generated CSV showing MFA enrollment for all IAM users
  • User access list -- Complete IAM user inventory with last activity dates
  • Password policy report -- Current account password policy configuration

Infrastructure

  • Resource inventory -- AWS resources imported for infrastructure diagram generation and compliance tracking

Setup

Prerequisites

  • An AWS account with GuardDuty enabled in the target region
  • IAM permissions to create cross-account roles or provide access keys
  • ConcertoGRC administrator access

Connection Methods

Cross-Account IAM Role (Recommended)

The most secure connection method. ConcertoGRC assumes a role in your AWS account with read-only permissions.

  1. Navigate to Integrations in ConcertoGRC
  2. Find the AWS integration card and click Connect
  3. Select IAM Role as the connection method
  4. Follow the guided setup to create the cross-account role in your AWS account using the provided CloudFormation template or manual IAM configuration
  5. Enter the Role ARN and External ID
  6. Click Test Connection to verify access

Access Key (Alternative)

For environments where cross-account roles are not feasible.

  1. Create an IAM user with read-only permissions in your AWS account
  2. Generate an access key pair
  3. Enter the Access Key ID and Secret Access Key in ConcertoGRC
  4. Click Test Connection

Required Permissions

The integration requires read-only access to:

  • guardduty:List*, guardduty:Get* -- GuardDuty findings
  • iam:List*, iam:Get*, iam:GenerateCredentialReport -- IAM users, policies, MFA
  • ec2:Describe* -- Infrastructure inventory
  • s3:ListAllMyBuckets, s3:GetBucketLocation -- S3 bucket inventory
  • organizations:Describe*, organizations:List* -- Multi-account discovery (optional)

Sync Behavior

  • Frequency: Every 6 hours
  • Deduplication: GuardDuty findings are matched by finding ID; duplicates update the existing record
  • Severity mapping: GuardDuty severity (0-10) is mapped to platform severity levels (Critical, High, Medium, Low, Info)
  • Evidence auto-generation: IAM reports are regenerated on each sync cycle and uploaded to the Evidence Library with fresh validity dates

Multiple Accounts

You can connect multiple AWS accounts. Each connection syncs independently with its own credentials and status. Findings from all accounts appear in a single Vulnerability Management view with source filtering by account.