Overview
Cremit's AWS S3 integration allows you to scan your S3 buckets for exposed credentials, API keys, and other sensitive information. This integration uses IAM roles with trust relationships to securely access your S3 buckets in read-only mode.
Setup Methods
Cremit provides three methods to integrate with AWS S3:
- CloudFormation (Auto) - Fastest and recommended method
- Manual Setup - Step-by-step manual IAM role creation
- IaC Templates - Infrastructure as Code templates for automated deployment
This is the fastest way to set up AWS S3 scanning. Cremit provides a pre-configured CloudFormation template that automatically creates the required IAM role and permissions.
Step 1: Navigate to Scan Sources
- Log in to your Cremit dashboard
- Navigate to Configuration > Scan Sources in the left sidebar
- Click the New or Create button
- Select AWS S3 as the scan source type
- Choose CloudFormation (Auto) tab (selected by default)
- Enter the following information:
- Label: Enter a descriptive name (e.g., "Company Inc.")
- Description: (Optional) Add details about this scan source
- Click Create & Open CloudFormation
- You will be redirected to AWS Console with the pre-configured CloudFormation template
- Review the template parameters and permissions
- Acknowledge IAM resource creation
- Click Create stack
Step 4: Verify Connection
- The scan source will be automatically created in Cremit
- Verify that the connection is successful
- Your S3 buckets will start appearing in the Target Management section
Method 2: Manual Setup
If you prefer to manually create the IAM role or need more control over the setup process, follow these detailed instructions.
Step 1: Create IAM Role with Custom Trust Policy
- Open AWS IAM Console
- Navigate to Roles → Create role
- Select Custom trust policy as trusted entity type
- Copy and paste the trust policy provided by Cremit
- Click Next: Attach Permissions
Step 2: Add Permissions
- Click Next to proceed to Add permissions page
- In the search box, type: AmazonS3ReadOnlyAccess
- Check the box next to AmazonS3ReadOnlyAccess policy
- Click Next
Step 3: Name and Create Role
- Enter the role name exactly as shown
- (Optional) Add a description for the role
- Click Create role
- After creation, click Verify Connection in Cremit to test setup
Method 3: IaC Templates
For organizations using Infrastructure as Code, Cremit provides templates for:
Contact Cremit support or check the IaC Templates tab in the setup wizard for template files.
Verification
To verify successful integration:
- Check that the scan source appears in Configuration > Scan Sources
- Verify that S3 buckets are listed in the Target Management section
- Confirm connection status shows "Connected"
Troubleshooting
AccessDenied Error
- Issue: Connection fails with AccessDenied error
- Solution: Double-check that the External ID in the trust policy matches exactly with the one provided by Cremit
Security Considerations
- Read-Only Access: The integration only requires read-only access to S3 buckets
- Trust Relationship: Access is restricted by AWS IAM trust policy with External ID validation
- No Data Modification: Cremit cannot modify or delete any data in your S3 buckets
Key Benefits
- ✅ Multiple Setup Options: Choose the method that best fits your workflow
- ✅ Secure Access: Uses IAM roles with trust relationships and External ID validation
- ✅ Read-Only: No risk of data modification or deletion