Integrations/aws-s3/
Setup Guide

AWS S3 Integration

Integrate Cremit with AWS S3 to scan your buckets for exposed credentials and sensitive data using CloudFormation or manual IAM role setup.

About this guide

This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.

Overview

Cremit's AWS S3 integration allows you to scan your S3 buckets for exposed credentials, API keys, and other sensitive information. This integration uses IAM roles with trust relationships to securely access your S3 buckets in read-only mode.

Setup Methods

Cremit provides three methods to integrate with AWS S3:

  1. CloudFormation (Auto) - Fastest and recommended method
  2. Manual Setup - Step-by-step manual IAM role creation
  3. IaC Templates - Infrastructure as Code templates for automated deployment

Method 1: CloudFormation (Auto) - Recommended

This is the fastest way to set up AWS S3 scanning. Cremit provides a pre-configured CloudFormation template that automatically creates the necessary IAM role and permissions.

Step 1: Navigate to Scan Sources

  1. Log in to your Cremit dashboard
  2. Navigate to Configuration > Scan Sources in the left sidebar
  3. Click the New or Create button

Step 2: Select CloudFormation Setup

  1. Select AWS S3 as the scan source type
  2. Choose CloudFormation (Auto) tab (selected by default)
  3. Enter the following information:
    • Label: Enter a descriptive name (e.g., "Company Inc.")
    • Description: (Optional) Add additional details
    • AWS Account ID: Enter your 12-digit AWS Account ID

Step 3: Deploy CloudFormation Stack

  1. Click Create & Open CloudFormation
  2. You will be redirected to AWS Console with the pre-configured CloudFormation template
  3. Review the template parameters and permissions
  4. Click Create stack in AWS Console
  5. Wait for the stack creation to complete (usually takes 1-2 minutes)
  6. Return to Cremit to verify the connection

Step 4: Verify Connection

  1. The scan source will be automatically created in Cremit
  2. Verify that the connection is successful
  3. Your S3 buckets will begin appearing in the Target Management section

Method 2: Manual Setup

If you prefer to manually create the IAM role or need more control over the setup process, follow these detailed instructions.

Step 1: Create IAM Role with Custom Trust Policy

  1. Open AWS IAM Console
  2. Navigate to RolesCreate role
  3. Select Custom trust policy as trusted entity type
  4. Copy and paste the trust policy provided in Cremit:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCremitArgusServiceToAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:149350259544:role/CremitArgusServiceRole"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "b247cdfc-120f-4b7c-ad91-529cdaf5c655"
        }
      }
    }
  ]
}
  1. Click Next: Attach Permissions

Step 2: Add Permissions

  1. Click Next to proceed to Add permissions page
  2. In the search box, type: AmazonS3ReadOnlyAccess
  3. Check the box next to AmazonS3ReadOnlyAccess policy
  4. Click Next to proceed to Name, review, and create

Note: This AWS managed policy grants read-only access to all S3 buckets in your account. Make sure this aligns with your security requirements.

Step 3: Name and Create Role

  1. Enter the role name exactly as shown below:

    CremitArgusScanServiceRole

  2. (Optional) Add a description for the role

  3. Click Create role

  4. Once created, click Verify Connection in Cremit to test the setup

Method 3: IaC Templates

For organizations using Infrastructure as Code, Cremit provides templates for:

  • Terraform
  • AWS CDK
  • Pulumi

Contact Cremit support or check the IaC Templates tab in the setup wizard for template files.

Verification

To verify successful integration:

  1. Check that the scan source appears in Configuration > Scan Sources
  2. Verify that S3 buckets are listed in the Target Management section
  3. Ensure the connection status shows as "Connected" or "Enabled"
  4. Monitor initial scan progress

Troubleshooting

AccessDenied Error

  • Issue: Connection fails with AccessDenied error
  • Solution: Double-check that the External ID in the trust policy matches exactly with the one provided by Cremit

Role not found Error

  • Issue: Cremit cannot find the IAM role
  • Solution: Ensure the role name is exactly CremitArgusScanServiceRole (case-sensitive)

Permission denied Error

  • Issue: Scanning fails due to permission errors
  • Solution: Verify that the AmazonS3ReadOnlyAccess IAM policy is attached correctly to the role

CloudFormation Stack Creation Failed

  • Issue: CloudFormation stack creation fails
  • Solution:
    • Check that you have sufficient permissions to create IAM roles
    • Verify that the stack name doesn't conflict with existing resources
    • Review CloudFormation events for specific error messages

Security Considerations

  • Read-Only Access: The integration only requires read-only access to S3 buckets
  • Trust Relationship: Access is restricted through AWS IAM trust policies with External ID validation
  • No Data Modification: Cremit cannot modify, delete, or upload any data to your S3 buckets
  • Scoped Permissions: You can customize the IAM policy to limit access to specific buckets if needed

Key Benefits

Multiple Setup Options: Choose the method that best fits your workflow
Secure Access: Uses IAM roles with trust relationships and External ID validation
Read-Only: No risk of data modification or deletion
CloudFormation Automation: Quick setup with pre-configured templates
Comprehensive Scanning: Scans all accessible S3 buckets for exposed credentials

Ready to connect

Start securing your infrastructure

Connect this integration to Cremit and start protecting your machine identities in minutes

Quick Links

All IntegrationsAll Setup GuidesCremit Dashboard

Need help?

Our support team is here to assist you with the integration process.

By the numbers

5-10 min
Setup time
24/7
Monitoring
Real-time
Alerts