Skip to main content

About Amazon Elastic Compute Cloud (EC2)

The Amazon EC2 connector collects instance inventory, security groups, VPC topology, AMI metadata, and related compute details from your AWS account so you can attach them to controls in Iru Compliance. Iru calls AWS APIs using sts:AssumeRole into an IAM role you create in your account. The role trusts Iru’s AWS principal and enforces an external ID that the connector wizard shows you. Access is read-only, so Iru does not start, stop, or terminate instances through this source.

How It Works

Iru runs in Iru’s AWS account. You create a customer-managed IAM role in your account that:
  1. Trusts Iru’s role ARN (shown in the wizard) only when sts:ExternalId matches the value Iru displays.
  2. Allows read-only EC2 and supporting calls, typically via AmazonEC2ReadOnlyAccess, or a tighter inline policy if your security team prefers least privilege.
You copy the role ARN back into the connector. Iru then assumes that role and reads regional EC2 data (Iru walks enabled Regions).
DetailValue
CategoryCloud compute
AuthenticationCross-account IAM role (sts:AssumeRole + external ID)
References: AmazonEC2ReadOnlyAccess, EC2 IAM.

Prerequisites

  • IAM rights to create roles and attach policies (for example IAMFullAccess or a narrower admin role).
  • The Iru principal ARN and external ID from your tenant’s connector screen (not the sample values in examples below unless they match what Iru shows you today).

Connect Amazon EC2 to Iru

Start here: open the source wizard and review the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Elastic Compute Cloud (EC2)

Find AWS Elastic Compute Cloud (EC2) (use Category or Search by name or description). On that card, turn on the toggle. Leave the Iru is requesting access to external services wizard tab open.
3

Review the trust policy JSON

The wizard asks for a role ARN and displays the trust policy your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.
copy=false
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
4

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role) so you have the Role ARN from the new role.
1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN into the Role ARN field.
2

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.
3

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to ComplianceSources and confirm the EC2 card is Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Verify the external ID and principal on the trust policy match Iru’s wizard character-for-character.
Confirm the role lives in the same account as your instances and that instances exist in Regions you expect.
Ensure ec2:Describe* coverage (managed policy already includes these). Custom policies need matching Describe* actions.

Considerations

EC2 APIs are Regional: first sync may take longer…

EC2 APIs are Regional, so first sync may take longer across many Regions.

AmazonEC2ReadOnlyAccess also covers related ELB and…

AmazonEC2ReadOnlyAccess also covers related ELB and Auto Scaling reads for a fuller picture.

This integration never mutates instances: it only…

This integration never mutates instances; it only describes them.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.