Skip to main content
InfraAudit connects to AWS using IAM credentials and discovers resources across all enabled regions in your account. Once connected, it monitors EC2 instances, S3 buckets, RDS instances, Lambda functions, CloudFront distributions, VPCs, security groups, and billing data from Cost Explorer.

Credential options

InfraAudit supports three ways to authenticate with AWS. All three require the same IAM policy — they differ only in how credentials are stored and rotated.
Create a dedicated IAM user with read-only permissions and generate a long-lived access key pair.
1

Create an IAM user

In the AWS console, go to IAM → Users → Create user. Give the user a descriptive name such as infraudit-reader.
2

Attach the InfraAudit policy

Attach the policy from the Required IAM policy section below, either directly or via a policy attached to a group.
3

Generate an access key

Go to Security credentials → Create access key. Choose Other as the use case. Copy the Access Key ID and Secret Access Key — you’ll need both when connecting.
For organizations using AWS IAM Identity Center (formerly SSO), use the SSO portal to generate temporary credentials and pass them to InfraAudit. Temporary credentials expire, so you’ll need to refresh them periodically.

Required IAM policy

Attach this policy to the IAM user or role InfraAudit will use. All actions are read-only. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "InfraAuditReadOnly",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeRegions",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketEncryption",
        "s3:GetBucketVersioning",
        "s3:GetBucketPublicAccessBlock",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "lambda:ListFunctions",
        "lambda:GetFunctionConfiguration",
        "cloudfront:ListDistributions",
        "iam:GetAccountPasswordPolicy",
        "iam:ListUsers",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetDimensionValues"
      ],
      "Resource": "*"
    }
  ]
}
If you also want to enable vulnerability scanning of EC2 instances, add these two actions to the statement above: 
"ec2:DescribeImages",
"ec2:DescribeSnapshots"

Connect your AWS account

1

Open the connection dialog

In the sidebar, click Cloud Providers → Connect AWS.
2

Enter your credentials

Fill in:
  • Access Key ID
  • Secret Access Key
  • Region — the primary region for API calls (resources in other regions are also discovered automatically)
  • Display name — a label for this account in the InfraAudit UI
3

Connect

Click Connect. InfraAudit validates the credentials and starts an initial resource sync.

What gets synced

After connecting, InfraAudit discovers and continuously monitors the following resource types:
Resource typeInternal type name
EC2 instancesec2_instance
S3 bucketss3_bucket
RDS instancesrds_instance
RDS clustersrds_cluster
Lambda functionslambda_function
CloudFront distributionscloudfront_distribution
VPCsvpc
Security groupssecurity_group
Billing data is ingested from Cost Explorer daily. AWS Cost Explorer has a 24-hour lag — data for a given day is available by approximately 08:00 UTC the following day.

Multi-region and multi-account support

InfraAudit discovers resources across all enabled regions in your AWS account automatically. The Region field in the connection form sets the primary region for API calls, not a filter. To monitor multiple AWS accounts, connect each as a separate provider. All accounts appear together in the unified resource inventory. The number of accounts you can connect depends on your plan.

Security notes

  • Credentials are encrypted at rest using AES-GCM with the server’s ENCRYPTION_KEY.
  • InfraAudit never writes to your AWS account. Every API call is read-only.
  • For tighter security, you can scope the IAM policy to specific regions or resource ARN prefixes.
Rotate your IAM access keys periodically and update the credentials in InfraAudit under Cloud Providers → Edit when you do. Stale credentials will cause sync failures.