Cloud
Connect Amazon Web Services
SigV4-signed read-only access to Security Hub (active findings) and Cost Explorer (spend) to compute Security Readiness and Cloud Health (security posture).
What it pulls
STS caller identity (validate), Security Hub active findings bucketed by severity (critical/high/medium), and Cost Explorer last-30-day unblended spend.
What you’ll enter
The exact fields the connect form asks for — and where to find each value.
- Access key ID
- IAM → your read-only user → Security credentials → Create access key → copy the “Access key ID” (starts with AKIA).
- Secret access key
- Shown next to the Access key ID at creation — copy the “Secret access key” now. It's shown only once.
- Primary regionoptional
- The region where you enabled Security Hub (the code in the AWS console’s top-right region menu, e.g. us-east-1).
- Session token (only for temporary credentials)optional
- Leave blank for a normal IAM access key — only needed for temporary STS credentials.
Step-by-step setup
- 1
Create an API-only IAM user
AWS console → IAM → Users → Create user (e.g. shipready-metrics-readonly). Do NOT enable console access — this is an API-only user.
- 2
Attach read-only policies
On Set permissions → Attach policies directly, add the AWS-managed SecurityAudit and ViewOnlyAccess policies (both read-only). Add nothing else, then create the user.
- 3
Create an access key
Open the user → Security credentials → Create access key → “Application running outside AWS”. Copy the Access key ID (AKIA…) and Secret access key into the matching fields (shown once).
- 4
Enable Security Hub in your region
Security Hub is regional: in your primary region (e.g. us-east-1) open Security Hub and enable it so findings exist. Cost Explorer spans all regions and needs no setup.
- 5
Enter the key + region and connect
Fill Access key ID, Secret access key, and Primary region. Use Session token only for temporary STS credentials. Click Connect — we validate via STS, then pull Security Hub + Cost Explorer.
Troubleshooting
- Connected but zero security findings.
- Security Hub is regional — enable it in the primary region you entered, or no findings exist to read. The connector reports zero rather than faking a clean posture; Cost Explorer needs no setup.
- Access denied / 403 on validate.
- Attach the AWS-managed SecurityAudit + ViewOnlyAccess policies to the IAM user, and re-check the access key ID, secret, and region.
Read-only access key, SigV4-signed (no SDK; signer verified vs AWS test vectors). Validated via STS, then Security Hub + Cost Explorer. Feeds Security Readiness + Cloud Health.