Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Integrations//
Setup Guide

AWS Permission Analyzer

Deploy Cremit's AWS Permission Analyzer via CloudFormation to automatically map IAM permissions attached to any discovered AWS key. Identify over-privileged credentials and assess blast radius.

About this guide

This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.

Overview

The AWS Permission Analyzer deploys a read-only IAM role in your AWS account via CloudFormation. When Argus discovers an AWS credential, the analyzer resolves that credential's real IAM permissions, lets you assess over-privilege, and maps the exposure surface before you rotate.

Prerequisites

  • AWS account with permission to create IAM roles and CloudFormation stacks
  • A Cremit Argus account on the Pro plan or above
  • For multi-account orgs: an administrator to approve the stack in each account

Step-by-Step Setup

Step 1: Download the CloudFormation template from Argus

  • In Argus, go to Security > Permission Analysis and click Add AWS Analyzer
  • Copy the provided External ID; you will use it in Step 2 to prevent confused-deputy attacks
  • Click Launch Stack to open the AWS CloudFormation console with the template pre-filled, or download the template YAML to deploy manually

Step 2: Deploy the CloudFormation stack

The stack creates an IAM role that Cremit can assume with least-privilege, read-only access.

  • Paste the External ID into the stack parameters
  • Review the IAM role; it grants iam:Get*, iam:List*, iam:Simulate* and read-only scoped-policy queries
  • Click Create Stack and wait for CREATE_COMPLETE (usually under 2 minutes)
  • Copy the Role ARN from the stack's Outputs tab

Step 3: Register the analyzer in Argus

  • Back in Argus's Add AWS Analyzer form, paste the Role ARN
  • Optionally label the account (for example, 'Prod', 'Staging')
  • Click Register

Step 4: Run the first analysis

Argus will analyze every previously discovered AWS credential tied to this account.

  • Results stream in as analysis completes; typical completion is 30-120 seconds per credential
  • Re-analysis is automatic whenever Argus detects a credential change, or on demand from the credential's detail page

Verification

To confirm the integration is configured correctly:

  • The analyzer appears in Registered Analyzers with a Connected status
  • Analysis Results shows parsed permission data for existing AWS credentials
  • The stack outputs a Role ARN matching what Argus displays
  • CloudTrail events from the analyzer role show only read-only API calls

Troubleshooting

Issue: Argus reports 'AssumeRole failed: AccessDenied'.

  • Solution: The External ID in the role's trust policy must match exactly what Argus shows. Re-generate the External ID in Argus and update the stack parameters.

Issue: Analysis is slow or timing out for a specific credential.

  • Solution: Very large IAM policies (thousands of statements) take longer to simulate. Argus will complete them in the background; check back in 5-10 minutes, or open a support ticket if it persists.

Key Benefits

  • Read-only access; the analyzer role cannot modify or exfiltrate resources
  • CloudFormation deploy is one-click per account and fully auditable
  • Cross-account trust via External ID prevents Confused Deputy risks
  • Automatic re-analysis when credentials change keeps assessments current
Ready to connect

Start securing your infrastructure

Connect this integration to Cremit and start protecting your machine identities in minutes

Quick Links

All IntegrationsAll Setup GuidesCremit Dashboard

Need help?

Our support team is here to assist you with the integration process.

By the numbers

5-10 min
Setup time
24/7
Monitoring
Real-time
Alerts