AWS Cloud Scanner

Configure AWS cloud infrastructure scanning with cross-account access or access keys

Security Best Practice: We recommend using cross-account IAM role assumption with an external ID for enhanced security. This eliminates the need to store long-term credentials.

Cross-Account IAM Role Setup

Create an IAM role in your AWS account that CTEM can assume to scan your infrastructure

Create IAM Role in AWS Console

Go to IAM → Roles → Create Role → Select "Another AWS account"

Open AWS IAM Console

Configure Trust Policy

Use the trust policy below to allow CTEM to assume the role

Attach Permissions Policy

Create a custom policy with the permissions listed below

Configure Role ARN Below

Copy the Role ARN and External ID to the form below

AWS Account ID

IAM Role ARN

The ARN of the IAM role created in step 1

External ID

A unique identifier to prevent unauthorized access (use a random string)

Regions to Scan

Select which AWS regions to include in scans (4 selected)

US East

1/2

N. Virginia(us-east-1)

Ohio(us-east-2)

US West

1/2

N. California(us-west-1)

Oregon(us-west-2)

Europe

1/6

Ireland(eu-west-1)

London(eu-west-2)

Paris(eu-west-3)

Frankfurt(eu-central-1)

Stockholm(eu-north-1)

Milan(eu-south-1)

Asia Pacific

1/6

Tokyo(ap-northeast-1)

Seoul(ap-northeast-2)

Osaka(ap-northeast-3)

Singapore(ap-southeast-1)

Sydney(ap-southeast-2)

Mumbai(ap-south-1)

South America

0/1

São Paulo(sa-east-1)

Canada

0/1

Central(ca-central-1)

Middle East

0/2

Bahrain(me-south-1)

UAE(me-central-1)

Africa

0/1

Cape Town(af-south-1)

Enable AWS Scanning

Trust Policy (Step 2)

Copy this trust policy when creating the IAM role. Replace YOUR_CTEM_ACCOUNT_ID and YOUR_EXTERNAL_ID with actual values.

IAM Permissions Policy (Step 3)

Attach this policy to the IAM role to grant CTEM read-only access to scan your AWS infrastructure