Technical guide for configuring third-party integrations for cloud assets, vulnerability scanning, alerts, and ticketing
Service | Description |
---|---|
EC2 | VM instances and their public IPs |
Route53 | DNS hosted zones and records |
S3 | Buckets (especially those public or with DNS) |
Cloudfront | CDN distributions and their domains |
ECS | Container cluster resources |
EKS | Kubernetes cluster endpoints |
ELB | Load balancers (Classic ELB and ALB/NLB) |
ELBv2 | Load balancers (Classic ELB and ALB/NLB) |
Lambda | Serverless function endpoints |
Lightsail | Lightsail instances (simplified VPS) |
Apigateway | API endpoints deployed via Amazon API Gateway |
arn:aws:iam::034362060511:user/projectdiscovery
s3:ListAllMyBuckets
. Refer back to the Required Permissions and make sure all relevant actions are allowed. You can also use AWS IAM Policy Simulator or CloudTrail logs to see if any AccessDenied errors occur when ProjectDiscovery calls AWS APIs.AssumeRole
.DescribeInstances
, ListBuckets
, etc., being called by the IAM user or assumed role. For cross-account roles, you will see an AssumeRole
event from ProjectDiscovery’s AWS account ID, and subsequent calls under the assumed role’s identity. This audit trail can confirm that the integration is working as intended and using only allowed actions.roles/cloudasset.viewer
and roles/resourcemanager.viewer
roles/cloudasset.viewer
and roles/resourcemanager.viewer
at the organization levelprojectdiscovery-org-scanner
projectdiscovery-org-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com
Cloud Asset Viewer
Organization Viewer
projectdiscovery-scanner
Compute Viewer
DNS Reader
Storage Object Viewer
Cloud Run Viewer
Cloud Functions Viewer
Kubernetes Engine Viewer
Browser
(for basic project access)projectdiscovery-readonly
).AliyunReadOnlyAccess
policy and click OK. This is the official, managed policy for read-only access to all cloud resources.us-east-1
.⚠️ Ensure the entire content is copied without extra whitespace.