Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon Elastic Compute Cloud (EC2)

The Amazon EC2 connector collects instance inventory, security groups, VPC topology, AMI metadata, and related compute details from your AWS account so you can attach them to controls in Iru Compliance. Iru calls AWS APIs using sts:AssumeRole into an IAM role you create in your account. The role trusts Iru’s AWS principal and enforces an external ID that the connector wizard shows you. Access is read-only, so Iru does not start, stop, or terminate instances through this source.

How it works

Iru runs in Iru’s AWS account. You create a customer-managed IAM role in your account that:
  1. Trusts Iru’s role ARN (shown in the wizard) only when sts:ExternalId matches the value Iru displays.
  2. Allows read-only EC2 and supporting calls, typically via AmazonEC2ReadOnlyAccess, or a tighter inline policy if your security team prefers least privilege.
You copy the role ARN back into the connector. Iru then assumes that role and reads regional EC2 data (Iru walks enabled Regions).
DetailValue
CategoryCloud compute
AuthenticationCross-account IAM role (sts:AssumeRole + external ID)
References: AmazonEC2ReadOnlyAccess, EC2 IAM.

Prerequisites

  • IAM rights to create roles and attach policies (for example IAMFullAccess or a narrower admin role).
  • The Iru principal ARN and external ID from your tenant’s connector screen (not the sample values in examples below unless they match what Iru shows you today).

Connect Amazon EC2 to Iru

Open Iru and copy the trust policy

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Elastic Compute Cloud (EC2)

Find AWS Elastic Compute Cloud (EC2) (use Category or Search by name or description). On that card, turn on the toggle. Keep the wizard tab open for the next steps.
3

Review the trust policy JSON

The wizard asks for a role ARN and displays the trust policy your IAM role must use. Always copy the principal and external ID from your live wizard. The structure matches this example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start the Create role workflow

Sign in to the AWS account that owns your EC2 workload. Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter Iru’s AWS account ID (753695775620 unless the wizard shows a different value). Enable Require external ID and paste the external ID from the Iru wizard.
3

Attach EC2 read permissions

On Permissions, attach AmazonEC2ReadOnlyAccess.If your security team does not use the managed policy, attach an inline policy with the JSON below instead:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:Get*",
        "elasticloadbalancing:Describe*",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:Describe*",
        "autoscaling:Describe*"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy its ARN

Finish the wizard and name the role (for example IruEC2ReadOnly). Open the new role and copy the Role ARN from the top of the summary page.
5

Verify the trust policy

Open the role’s Trust relationships tab and confirm the JSON matches what Iru displayed. Typos in the external ID are the most common cause of AccessDenied on AssumeRole.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN into the Role ARN field.
2

Confirm the source is Active

Submit until the EC2 source shows Active. Inventory sync begins after activation.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Verify the external ID and principal on the trust policy match Iru’s wizard character-for-character.
Confirm the role lives in the same account as your instances and that instances exist in Regions you expect.
Ensure ec2:Describe* coverage (managed policy already includes these). Custom policies need matching Describe* actions.

Considerations

EC2 APIs are Regional: first sync may take longer…

EC2 APIs are Regional, so first sync may take longer across many Regions.

AmazonEC2ReadOnlyAccess also covers related ELB and…

AmazonEC2ReadOnlyAccess also covers related ELB and Auto Scaling reads for a fuller picture.

This integration never mutates instances: it only…

This integration never mutates instances; it only describes them.

See also