AISEC

by CipherFort Security

Sign inGet started
Integration Guide · AWS Config

AWS Config Integration

The AWS Config connector collects compliance evidence from AWS Config rules, IAM credential reports, GuardDuty threat findings, and CloudTrail audit logging. It uses IAM role assumption so no long-lived AWS access keys are stored in AISEC.

IAM MFA coverage reportConfig rule compliance summaryGuardDuty high-severity findingsCloudTrail audit logging status

Read-only

IAM permissions required

4

Evidence categories collected

A.5.17, A.8.15

Example ISO 27001 control mappings

Prerequisites

What you need before you start

The connector assumes an IAM role in your AWS account. You need to create this role before connecting.

Create the IAM role

Create an IAM role in your AWS account that AISEC can assume. The trust policy must allow your AISEC deployment to call sts:AssumeRole.

  • Role name suggestion: aisec-readonly-role
  • Trust principal: the AWS account ID where AISEC is deployed, or an OIDC provider if using EKS IRSA
  • Add an External ID to the trust policy for extra security (optional but recommended)

Attach read-only policies

Attach the following AWS-managed policies to the role. These cover all the services the connector queries.

  • SecurityAudit — covers IAM credential report and Config
  • AmazonGuardDutyReadOnlyAccess — for threat findings
  • AWSCloudTrail_ReadOnlyAccess — for trail status
  • ViewOnlyAccess — broad read-only fallback for Config rules

Configuration

Connect AWS Config in AISEC

Once the IAM role exists, the connection in AISEC takes under a minute.

Step-by-step

Follow these steps in Settings → Integrations → AWS Config → Configure.

  • IAM Role ARN: paste the full ARN of the role you created (e.g. arn:aws:iam::123456789012:role/aisec-readonly-role)
  • Region: enter the primary AWS region where your resources run (default: eu-west-1)
  • External ID: if you added one to the trust policy, enter it here; otherwise leave blank
  • Sync frequency: daily is recommended — IAM and Config data changes slowly
  • Click Connect, then Sync now to run an immediate first collection

Evidence collected

What appears in your evidence register

Each sync produces up to four evidence items, one per service category.

IAM MFA Coverage Report

Percentage of console-enabled IAM users with MFA active. Includes total user count and per-user MFA status.

  • Maps to ISO 27001: A.5.17 (Authentication)
  • Maps to SOC 2: CC6.1

Config Rule Compliance Summary

Count of compliant vs non-compliant Config rules with a percentage score. Lists non-compliant rule names.

  • Maps to ISO 27001: A.8.9 (Configuration management)
  • Maps to SOC 2: CC7.1

GuardDuty Threat Intelligence

High-severity finding count from the active GuardDuty detector. Flags if GuardDuty is not enabled.

  • Maps to ISO 27001: A.8.16 (Monitoring), A.5.25 (Incident response)

CloudTrail Audit Logging

Trail count, multi-region status, and log file validation status for each trail.

  • Maps to ISO 27001: A.8.15 (Logging), A.8.16 (Monitoring)

Troubleshooting

Common issues

  • AccessDenied on sts:AssumeRole — check the trust policy allows the AISEC account/role as principal and the External ID matches.
  • No Config rules returned — confirm AWS Config is enabled and rules are deployed in the target region.
  • GuardDuty returns "Not Enabled" — this is expected if GuardDuty is not active; enable it to start collecting threat data.
  • IAM credential report times out — the report generation can take up to 4 hours for accounts with many users; retry on the next scheduled sync.

Related

Keep exploring

All integrations

Evidence section

Controls & SoA

Ready to connect?

Open Settings → Integrations → AWS Config and enter your IAM role ARN.