Source Configuration for AWS Importer
- Pio
- Eva Ruzheva
To integrate with AWS, you first need to define sources.
For the following configuration, you'll need assistance from your organization's AWS Admins.
Click the Source tab
Click the “Add New Source” button
 |
Give a name to your Source Configuration.
Select a Pio AWS region: US (us-east-1) or EU (eu-central-1).
Contact your Security Team to request access for your AWS Accounts from the Pio Gateway, following the security recommendation.
To configure the source successfully, ask your Security Team to enable access to your AWS accounts from the Pio Gateway. This access is essential for completing the setup.
Pio Region Name | Service Provider | Location | Region Description | Public IP Address for Outbound Traffic |
|---|---|---|---|---|
US | AWS | North America (Virginia, US) | us-east-1 | 52.45.180.198 |
EU | AWS | Europe (Frankfurt, Germany) | eu-central-1 | 18.199.1.227 |
Request your AWS Admin to provide the necessary account details:
Access Key
Secret
Roles
You can add multiple roles. Our application will assume each role and collect the AWS resource configurations accordingly.
We recommend preparing the following policy for the roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PioReadOnlyPolicy",
"Action": [
"ec2:Describe*",
"ecr:List*",
"ecr:Describe*",
"lambda:List*",
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}This IAM policy, named PioReadOnlyPolicy, grants read-only access to selected AWS services, including EC2 (Describe*), ECR (List*, Describe*), and Lambda (List*), allowing users to view configurations and resources without making changes. It also permits the sts:AssumeRole action, enabling the principal to assume other roles, which may grant broader access depending on the target roles’ permissions. The policy is applied globally to all resources. Customers are advised to review and modify this policy according to their internal security requirements and compliance standards, especially to restrict sts:AssumeRole to specific trusted roles or accounts.
Don’t forget to set up trust relationship, similar to below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111:user/credentials-integration-test"
},
"Action": "sts:AssumeRole"
}
]
}This trust relationship allows the IAM user credentials-integration-test from AWS account 11111111111 to assume the role to which this policy is attached. It uses the sts:AssumeRole action to enable cross-entity access. Customers should modify this trust policy to reference only trusted users, roles, or AWS accounts that align with their security policies and access control standards, ensuring that only authorized entities can assume the role.
Click the Add Source button to save the source configuration.
If the connection settings are correct, then a success message will appear.
Please recheck the values if you get the following error message.
 |
To return to the list of sources, please proceed by clicking the “Close” button.
If you need to create additional source configurations, please repeat these steps.
To configure your destinations, select the Destination tab after completing the source configurations.