AWS Deployment Guide
This guide helps you prepare for and deploy the Xshield Cloud Connector with AWS. It covers what you need before you start, how to get started, and reference details (supported resources, considerations, and AWS services used).
Prerequisites
Before you can use the Cloud Connector with AWS, ensure you have:
- Active AWS account with administrative access
- An IAM principal (user/role) with permissions to create and manage:
- IAM roles and policies
- CloudFormation stacks (if using a template-driven onboarding)
- VPC Flow Logs configuration (for when you enable traffic visibility later)
- Active Xshield account and access to the management portal
Getting Started
After you have the prerequisites above:
- Connect your account — AWS Onboarding (choose interactive, script-based, or manual).
- Enable traffic visibility — VPC Flow Logs for network traffic; X-Ray Traces for application traces.
Reference
The sections below provide supporting detail.
Supported AWS Resource Types
The Cloud Connector supports discovery and visibility for a set of AWS resource types. Support may vary by release.
- Amazon EC2, RDS, API Gateway, Lambda, S3, DynamoDB
See AWS Resource Management for the full list and how resources are represented in Xshield.
Important Considerations
- Flow log dependency — Network traffic visibility requires VPC Flow Logs to be enabled and accessible.
- X-Ray dependency — Application trace visibility requires AWS X-Ray to be enabled and accessible.
- Costs — Enabling VPC Flow Logs and storing or exporting logs can incur AWS costs (CloudWatch Logs, S3, Kinesis/Firehose, inter-region transfer depending on your setup).
AWS Services Used
The Cloud Connector uses these AWS services (depending on features enabled):
- IAM — Roles and policies for authentication and authorization
- VPC — Discovery of networking constructs and workload placement
- VPC Flow Logs — Traffic flow visibility and analytics
- X-Ray — Application trace visibility
- CloudFormation — Permission and resource setup when using templates (if applicable)
IAM permissions
The cross-account role used by Xshield requires specific IAM permissions for discovery and (optionally) flow log access. For the exact permissions, refer the table below.
Cloud Connector (assets discovery and traffic visualization)
Permissions for resource discovery, network visibility, and application traces. The CloudFormation template and Path B policy include these by default.
Within each service, IAM actions are split into two tiers: Mandatory and For Upcoming Feature.
| Service | Tier | IAM action | Resource | Why |
|---|---|---|---|---|
| S3 | Mandatory | s3:ListAllMyBuckets | * | Required to enumerate S3 buckets. Without this, no S3 assets will appear on the platform. Access level: List |
s3:GetBucketLocation | * | Required to determine bucket regions. Without this, S3 discovery and flow log bucket region resolution will fail. Access level: Read | ||
s3:GetBucketPublicAccessBlock | * | Required to check public access settings. Without this, the IsPublic indicator will be inaccurate. Access level: Read | ||
s3:GetBucketTagging | * | Required for S3 bucket tag discovery. Without this, bucket tags will be missing, breaking tag-based filtering. Access level: Read | ||
s3:ListBucket | * | Required to list flow log files in S3 buckets. Without this, flow log processing and hub bucket verification will fail. Access level: List | ||
s3:GetObject | * | Required to read flow log files from S3. Without this, flow log processing will fail entirely. Access level: Read | ||
| For Upcoming Feature | s3:GetBucketAcl | * | Not actively used. Including this avoids a policy update if future releases surface bucket ACL details. Access level: Read | |
s3:GetBucketPolicy | * | Not actively used. Including this avoids a policy update if future releases surface bucket policy details. Access level: Read | ||
s3:GetBucketVersioning | * | Not actively used. Including this avoids a policy update if future releases surface bucket versioning status. Access level: Read | ||
s3:GetBucketNotification | * | Not actively used. Including this avoids a policy update if future releases surface bucket notification settings. Access level: Read | ||
| EC2 | Mandatory | ec2:DescribeInstances | * | Required to discover EC2 instances. Without this, no EC2 assets will appear on the platform. Access level: List |
ec2:DescribeNetworkInterfaces | * | Required for ENI discovery. Without this, ENI-to-asset mapping breaks, disrupting network topology and flow log IP resolution. Access level: List | ||
ec2:DescribeAddresses | * | Required to discover Elastic IPs. Without this, EIP associations will be missing from network topology. Access level: List | ||
ec2:DescribeVpcs | * | Required to discover VPCs. Without this, all VPC-scoped resource mapping will fail. Access level: List | ||
ec2:DescribeSubnets | * | Required to discover subnets. Without this, subnet context for instances, RDS, and Lambda will be missing. Access level: List | ||
ec2:DescribeSecurityGroups | * | Required to discover security groups. Without this, SG rules and usage tracking will be unavailable, breaking policy analysis. Access level: List | ||
ec2:DescribeNetworkAcls | * | Required to discover Network ACLs. Without this, NACL rules will not be visible. Access level: List | ||
ec2:DescribeNatGateways | * | Required to discover NAT Gateways. Without this, NAT Gateway assets will not appear on the platform. Access level: List | ||
ec2:DescribeInternetGateways | * | Required to discover Internet Gateways. Without this, IGW context will be missing from VPC topology. Access level: List | ||
ec2:DescribeTransitGateways | * | Required to discover Transit Gateways. Without this, TGW topology will be missing. Access level: List | ||
ec2:DescribeFlowLogs | * | Required to discover VPC flow log configurations. Without this, VPCs cannot be enriched with flow log status. Access level: List | ||
ec2:DescribeManagedPrefixLists | * | Required to enumerate managed prefix lists. Without this, prefix list discovery will fail. Access level: List | ||
ec2:GetManagedPrefixListEntries | * | Required to resolve CIDR entries in prefix lists. Without this, policy analysis and named network creation will break. Access level: Read | ||
| For Upcoming Feature | ec2:DescribeVolumes | * | Not actively used. Including this avoids a policy update if future releases surface EBS volume details. Access level: List | |
ec2:DescribeSnapshots | * | Not actively used. Including this avoids a policy update if future releases surface EBS snapshot details. Access level: List | ||
ec2:SearchTransitGatewayMulticastGroups | * | Not actively used. Including this avoids a policy update if future releases add transit gateway multicast group topology support. | ||
| ELB | Mandatory | elasticloadbalancing:DescribeLoadBalancers | * | Required to discover load balancers (ALB/NLB). Without this, no LB assets will appear and ENI-to-LB mapping will be missing. Access level: List |
| RDS | Mandatory | rds:DescribeDBInstances | * | Required to discover RDS instances. Without this, no RDS assets will appear on the platform. Access level: List |
rds:DescribeDBSubnetGroups | * | Required to discover DB subnet groups. Without this, RDS network topology mapping will be incomplete. Access level: List | ||
rds:DescribeDBSecurityGroups | * | Required to discover DB security groups. Without this, RDS security group associations will be missing. Access level: List | ||
rds:DescribeDBClusterEndpoints | * | Required to discover Aurora cluster endpoints. Without this, DB cluster endpoint topology will be incomplete. Access level: List | ||
rds:ListTagsForResource | * | Required for RDS tag discovery. Without this, RDS tags will be missing, breaking tag-based filtering. Access level: Read | ||
| For Upcoming Feature | rds:DescribeDBParameterGroups | * | Not actively used. Including this avoids a policy update if future releases surface DB parameter group configuration. Access level: List | |
| Lambda | Mandatory | lambda:ListFunctions | * | Required to enumerate Lambda functions. Without this, no Lambda assets will appear on the platform. Access level: List |
lambda:GetFunctionConfiguration | * | Required to get VPC and runtime config per function. Without this, Lambda network topology mapping will break. Access level: Read | ||
lambda:ListEventSourceMappings | * | Required to discover event source triggers. Without this, Lambda trigger information will be missing. Access level: List | ||
lambda:ListTags | * | Required for Lambda tag discovery. Without this, Lambda tags will be missing, breaking tag-based filtering. Access level: Read | ||
| For Upcoming Feature | lambda:GetPolicy | * | Not actively used. Including this avoids a policy update if future releases surface Lambda resource-based invocation policies. Access level: Read | |
| DynamoDB | Mandatory | dynamodb:ListTables | * | Required to enumerate DynamoDB tables. Without this, no DynamoDB assets will appear on the platform. Access level: List |
dynamodb:DescribeTable | * | Required to get table config (ARN, key schema, throughput). Without this, DynamoDB table details will be missing. Access level: Read | ||
dynamodb:ListTagsOfResource | * | Required for DynamoDB tag discovery. Without this, table tags will be missing, breaking tag-based filtering. Access level: Read | ||
| API Gateway | Mandatory | apigateway:GET | * | Required to discover REST APIs, stages, resources, deployments, and authorizers. Without this, no API Gateway assets will appear. Access level: Read |
| X-Ray | Mandatory | xray:GetTraceSummaries | * | Required to fetch X-Ray trace IDs. Without this, application trace visibility will be unavailable. See X-Ray Traces. Access level: Read |
xray:BatchGetTraces | * | Required to retrieve full trace details. Without this, application-level communication paths between services will not be shown. Access level: Read | ||
| KMS | Mandatory | kms:DescribeKey | * | Required for hub flow log bucket verification when using SSE-KMS encryption. Access level: Read |
kms:Decrypt | * | Required to decrypt flow log files in S3 when the bucket uses SSE-KMS encryption. Access level: Write | ||
| Direct Connect | For Upcoming Feature | directconnect:DescribeConnections | * | Not actively used. Including this avoids a policy update if future releases map Direct Connect connections into the network topology. |
| Network Manager | For Upcoming Feature | networkmanager:ListCoreNetworks | * | Not actively used. Including these avoids a policy update if future releases map core networks, attachments, and peerings into the network topology. |
networkmanager:GetCoreNetwork | * | |||
networkmanager:ListAttachments | * | |||
networkmanager:GetVpcAttachment | * | |||
networkmanager:GetSiteToSiteVpnAttachment | * | |||
networkmanager:GetConnectAttachment | * | |||
networkmanager:GetTransitGatewayRouteTableAttachment | * | |||
networkmanager:ListPeerings | * | |||
networkmanager:GetTransitGatewayPeering | * | |||
networkmanager:GetTransitGatewayRegistrations | * |
Permission tier definitions
- Mandatory — the product will not function without these permissions. Resource discovery, network mapping, flow log processing, or application trace visibility will fail for the affected services.
- For Upcoming Feature — these permissions are not actively consumed today. Including them prevents the need for a cross-account role policy update when AWS adds new resource types or Xshield extends its discovery coverage.
XCloud compliance IAM permissions
If you enable XCloud compliance, the cross-account IAM role must also allow the following actions (Compliance Reports in Xshield):
| Service | Tier | IAM actions | Resource | Why |
|---|---|---|---|---|
| Access Analyzer | Mandatory | access-analyzer:ListAnalyzers | * | List access analyzers for compliance and finding analyzer findings. |
| CloudTrail | Mandatory | cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:GetEventSelectors | * | Discover trail configuration and status for compliance. |
| CloudWatch | Mandatory | cloudwatch:DescribeAlarms | * | Discover alarms for compliance and monitoring context. |
| AWS Config | Mandatory | config:DescribeConfigurationRecorderStatus, config:DescribeConfigurationRecorders | * | Discover Config recorder status for compliance context. |
| EC2 | Mandatory | ec2:DescribeInstances, ec2:DescribeSnapshots, ec2:DescribeAddresses, ec2:DescribeFlowLogs, ec2:DescribeRegions, ec2:DescribeSecurityGroups, ec2:DescribeNetworkAcls, ec2:DescribeNetworkInterfaces, ec2:DescribeVpcs | * | Discover EC2 instances, snapshots, networking, and security group configuration for compliance. |
| ELB | Mandatory | elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeRules | * | Discover load balancers, listeners, and routing rules for compliance. |
| IAM † | Mandatory | iam:GetAccountSummary, iam:GetCredentialReport, iam:GetPolicyVersion, iam:GetAccountPasswordPolicy, iam:GenerateCredentialReport, iam:ListAttachedUserPolicies, iam:ListEntitiesForPolicy, iam:ListPolicies, iam:ListServerCertificates, iam:ListUsers, iam:ListUserPolicies, iam:ListVirtualMFADevices | * | Read IAM summary, users, roles, policies, and credential report for compliance and identity context. |
| KMS | Mandatory | kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys | * | Discover KMS keys and rotation status for compliance. |
| CloudWatch Logs | Mandatory | logs:DescribeMetricFilters | * | Discover log metric filters for compliance context. |
| RDS | Mandatory | rds:DescribeDBInstances | * | Discover RDS database instances for compliance. |
| S3 | Mandatory | s3:GetAccountPublicAccessBlock, s3:GetBucketPublicAccessBlock, s3:GetBucketAcl, s3:GetBucketLocation, s3:GetBucketLogging, s3:GetBucketPolicy, s3:GetBucketVersioning, s3:GetEncryptionConfiguration, s3:GetReplicationConfiguration, s3:ListAllMyBuckets | * | Read S3 account and bucket configuration for compliance (public access, encryption, replication). |
| SNS | Mandatory | sns:ListSubscriptions | * | Discover SNS subscriptions for compliance context. |
| STS | Mandatory | sts:GetCallerIdentity | * | Resolve caller identity for account context. |
| Account | Mandatory | account:GetAccountInformation | * | Read account information for compliance and account context. |
† IAM: The action iam:GenerateCredentialReport triggers generation of the credential report (so it is not purely read-only); it does not modify users, roles, or policies.
Related Guides
- AWS Interactive Onboarding — Guided onboarding flow
- AWS Script-based Onboarding — Script-based onboarding flow
- AWS Manual (Console-based) Onboarding — Console-based onboarding flow
- VPC Flow Logs — Enable VPC Flow Logs and grant access for network traffic visibility
- X-Ray Traces — Enable AWS X-Ray for application trace visibility
- AWS Resource Management — Supported resources and how they are managed in Xshield
- AWS Decommissioning — Remove an AWS Cloud Connector from Xshield