Cloud

Connect Amazon Web Services

SigV4-signed read-only access to Security Hub (active findings) and Cost Explorer (spend) to compute Security Readiness and Cloud Health (security posture).

What you'll need

An API-only IAM user with the AWS-managed SecurityAudit + ViewOnlyAccess policies, its access key ID + secret, and a primary region. Security Hub must be enabled in that region for findings; Cost Explorer needs no setup. If Security Hub is off, the connector reports zero findings rather than faking a clean posture.

Credential

Read-only access key (SecurityAudit + ViewOnlyAccess)

Requested scopes

SecurityAudit, ViewOnlyAccess

Powers

Security Readiness, Cloud Health

What it pulls

STS caller identity (validate), Security Hub active findings bucketed by severity (critical/high/medium), and Cost Explorer last-30-day unblended spend.

What you’ll enter

The exact fields the connect form asks for — and where to find each value.

Access key ID
IAM → your read-only user → Security credentials → Create access key → copy the “Access key ID” (starts with AKIA).
Secret access key
Shown next to the Access key ID at creation — copy the “Secret access key” now. It's shown only once.
Primary regionoptional
The region where you enabled Security Hub (the code in the AWS console’s top-right region menu, e.g. us-east-1).
Session token (only for temporary credentials)optional
Leave blank for a normal IAM access key — only needed for temporary STS credentials.

Step-by-step setup

  1. 1

    Create an API-only IAM user

    AWS console → IAM → Users → Create user (e.g. shipready-metrics-readonly). Do NOT enable console access — this is an API-only user.

  2. 2

    Attach read-only policies

    On Set permissions → Attach policies directly, add the AWS-managed SecurityAudit and ViewOnlyAccess policies (both read-only). Add nothing else, then create the user.

  3. 3

    Create an access key

    Open the user → Security credentials → Create access key → “Application running outside AWS”. Copy the Access key ID (AKIA…) and Secret access key into the matching fields (shown once).

  4. 4

    Enable Security Hub in your region

    Security Hub is regional: in your primary region (e.g. us-east-1) open Security Hub and enable it so findings exist. Cost Explorer spans all regions and needs no setup.

  5. 5

    Enter the key + region and connect

    Fill Access key ID, Secret access key, and Primary region. Use Session token only for temporary STS credentials. Click Connect — we validate via STS, then pull Security Hub + Cost Explorer.

Troubleshooting

Connected but zero security findings.
Security Hub is regional — enable it in the primary region you entered, or no findings exist to read. The connector reports zero rather than faking a clean posture; Cost Explorer needs no setup.
Access denied / 403 on validate.
Attach the AWS-managed SecurityAudit + ViewOnlyAccess policies to the IAM user, and re-check the access key ID, secret, and region.
Create a read-only IAM user → Connect in the app

Read-only access key, SigV4-signed (no SDK; signer verified vs AWS test vectors). Validated via STS, then Security Hub + Cost Explorer. Feeds Security Readiness + Cloud Health.