This guide explains how to connect Amazon Web Services (AWS) to WatchDog Security.Once connected, WatchDog will begin monitoring your AWS environment for security posture risks, configuration issues, vulnerabilities, and cloud inventory data across your AWS account.
What WatchDog Monitors#
WatchDog operates in read-only mode and does not modify configuration settings within your AWS environment.
Identity & Access ManagementElastic Container Service (ECS)
Elastic Kubernetes Service (EKS)
Elastic Block Store (EBS)
Elastic Container Registry (ECR)
Simple Queue Service (SQS)
Simple Notification Service (SNS)
Requirements#
Before connecting the integration, ensure the following:You have administrator access to the AWS account you want to monitor
You're an Account Owner or Security Admin in WatchDog Security
You can create IAM roles and policies within the AWS account
Step 1 — Open the Integration in WatchDog#
2.
Navigate to: Management → Integrations
3.
Locate Amazon Web Services (AWS)
5.
Within the AWS Connection Wizard, take note of the WatchDog Security AWS ARN, then continue with creating an IAM role within AWS.
Step 2 — Create the IAM Role in AWS#
2.
In the navigation pane of the console, choose Roles and then choose Create role.
3.
Under Trusted entity type, select Custom trust policy and copy and paste the JSON body below within the Custom trust policy editor
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<watchdog-arn>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external-id>"
}
}
}
]
}
4.
Replace the following strings within the JSON Policy:{watchdog-arn} Replace with the ARN shared within the WatchDog AWS Connection Wizard.
{external-id} Enter an External ID of your choosing.
The External ID is a shared secret between your AWS account and WatchDog. You must use the same value when creating the IAM role in AWS.Best practices for External IDs:Use a unique, hard-to-guess value (e.g., JWT, UUID, etc.).
Avoid reusing External IDs across integrations
Treat it like a secret (do not share publicly)
5.
Next, under Add permissions, filter by AWS managed - job function and select the ReadOnlyAccess permission. Then select Next
6.
Under Role name, enter the role name - wds-agent-role, then select Create Role
The IAM role must be named wds-agent-role for the integration to connect successfully in the WatchDog Security UI.Roles with a different name will not be recognized, and the connection will fail.
7.
Select the newly created role and note the ARN provided to share with WatchDog Security
Step 3 — Complete the Connection in WatchDog#
Return to WatchDog Security UI and complete the AWS Connection process:1.
Enter a unique connection name
2.
Paste the Role ARN of the newly created role into the connection wizard
3.
Enter the unique External ID chosen for the AWS Role
Initial Sync#
WatchDog will begin collecting configuration and inventory data from AWS
Initial synchronization time depends on the size of your environment
Large environments may take up to one hour
Permissions Required#
WatchDog requires read-only access to AWS services in order to collect configuration and inventory data.This is typically achieved through:AWS SecurityAudit managed policy
Additional read permissions for supported services if required
Revoking Access#
To fully remove WatchDog access from your AWS account, remove the IAM role created for the integration.Step 1 — Disconnect the Integration in WatchDog#
1.
Log into the WatchDog Security Portal
2.
Navigate to Management → Integrations
3.
Locate Amazon Web Services
Step 2 — Delete the IAM Role in AWS#
3.
Locate the role created for WatchDog
Troubleshooting#
Verify the following:
The Role ARN was entered correctly
The trust relationship includes the WatchDog AWS account
The External ID matches the value generated in WatchDog
The role has sufficient read permissions
