🔗

Integrations

Cloud Provider Integrations

EchelonGraph connects to your cloud providers using read-only credentials. We never request write, delete, or modify permissions — our scanner operates entirely through API calls.

AWS Integration

What You Need

An AWS account (with IAM admin permissions to create roles/policies)
An EchelonGraph account with Admin role
Your EchelonGraph Tenant ID (found in Settings → Organization)

Option A: Cross-Account IAM Role (Recommended)

This is the recommended production method. EchelonGraph uses AWS STS AssumeRole — no long-lived access keys are stored.

#### Step 1: Create the IAM Policy

Create a custom policy or use the AWS-managed SecurityAudit policy. For a minimal custom policy, use this JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EchelonGraphReadOnly",
      "Effect": "Allow",
      "Action": [
        "acm:DescribeCertificate",
        "acm:ListCertificates",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeNatGateways",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "guardduty:GetFindings",
        "guardduty:ListDetectors",
        "guardduty:ListFindings",
        "iam:ListAccessKeys",
        "iam:ListAttachedUserPolicies",
        "iam:ListMFADevices",
        "iam:ListRoles",
        "iam:ListUsers",
        "kms:DescribeKey",
        "kms:GetKeyRotationStatus",
        "kms:ListKeys",
        "lambda:ListFunctions",
        "rds:DescribeDBInstances",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "s3:GetBucketAcl",
        "s3:GetBucketEncryption",
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:GetPublicAccessBlock",
        "s3:ListAllMyBuckets",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

Or simply attach the AWS-managed SecurityAudit + ViewOnlyAccess policies for broader coverage.

#### Step 2: Create the IAM Role with Trust Policy

Create an IAM role with the following trust policy. Replace YOUR_TENANT_ID with your EchelonGraph tenant ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::471112580098:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_TENANT_ID"
        }
      }
    }
  ]
}

#### AWS CLI Commands

# 1. Create the IAM policy
aws iam create-policy \
  --policy-name EchelonGraphSecurityAudit \
  --policy-document file://echelongraph-policy.json

# 2. Create the IAM role with the trust policy
aws iam create-role \
  --role-name EchelonGraphSecurityAudit \
  --assume-role-policy-document file://echelongraph-trust.json \
  --description "Read-only role for EchelonGraph cloud security scanning"

# 3. Attach the policy to the role
aws iam attach-role-policy \
  --role-name EchelonGraphSecurityAudit \
  --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/EchelonGraphSecurityAudit

# 4. (Alternative) Attach AWS-managed SecurityAudit policy instead
aws iam attach-role-policy \
  --role-name EchelonGraphSecurityAudit \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit

#### CloudFormation (1-Click Deploy)

Deploy this CloudFormation template in your AWS Console to create the role automatically:

AWSTemplateFormatVersion: '2010-09-09'
Description: EchelonGraph Security Audit - Cross-Account IAM Role
Parameters:
  TenantId:
    Type: String
    Description: Your EchelonGraph Tenant ID (found in Settings)
    MinLength: 1
Resources:
  EchelonGraphRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: EchelonGraphSecurityAudit
      Description: Read-only role for EchelonGraph cloud security scanning
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::471112580098:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref TenantId
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
        - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
Outputs:
  RoleArn:
    Description: Role ARN to paste into EchelonGraph
    Value: !GetAtt EchelonGraphRole.Arn

#### Step 3: Connect in EchelonGraph

Go to Settings → Cloud Accounts → Add Account
Select Amazon Web Services
Choose Cross-Account Role (Recommended)
Paste your Role ARN (e.g. arn:aws:iam::123456789012:role/EchelonGraphSecurityAudit)
The External ID field is auto-populated with your EchelonGraph Tenant ID — no action needed
Select your primary AWS region
Click Test Connection — EchelonGraph will validate access via STS
Save and trigger your first scan

Option B: Access Keys (Quick Start)

For rapid evaluation, you can use IAM user access keys. Not recommended for production — use cross-account roles instead.

Create an IAM user with the SecurityAudit managed policy
Generate an access key pair in IAM → Users → Security Credentials
Go to Settings → Cloud Accounts → Add Account
Select Amazon Web Services → Access Keys (Quick Start)
Enter your Access Key ID and Secret Access Key
Select your primary region and click Test Connection

> Security note: Access keys are long-lived credentials. If you use this method, rotate keys every 90 days and restrict the IAM user to only the permissions listed above.

What EchelonGraph Scans (14 AWS Services)

Service	Assets Discovered	API Calls Used
EC2	Instances, AMIs, security groups	DescribeInstances
VPC	VPCs, subnets, NAT/Internet gateways	DescribeVpcs, DescribeSubnets, DescribeNatGateways, DescribeInternetGateways
Security Groups	Ingress/egress rules, CIDR ranges	DescribeSecurityGroups
RDS	Database instances, encryption, backups	DescribeDBInstances
S3	Buckets — encryption, versioning, public access, ACLs	ListBuckets, GetBucketEncryption, GetBucketAcl, GetPublicAccessBlock, GetBucketVersioning, GetBucketLocation
IAM	Users, roles, MFA status, access key age, policies	ListUsers, ListRoles, ListMFADevices, ListAccessKeys, ListAttachedUserPolicies
Lambda	Functions — runtime, VPC config, layers, env vars	ListFunctions
ELB/ALB	Load balancers, listeners, target groups, certificates	DescribeLoadBalancers, DescribeListeners, DescribeTargetGroups
CloudTrail	Trails, logging status, multi-region config	DescribeTrails, GetTrailStatus
ACM	TLS certificates — expiry, renewal status	ListCertificates, DescribeCertificate
KMS	Encryption keys — rotation status, key policies	ListKeys, DescribeKey, GetKeyRotationStatus
Route 53	Hosted zones, DNS records	ListHostedZones, ListResourceRecordSets
EKS	Kubernetes clusters — version, endpoints, logging	ListClusters, DescribeCluster
GuardDuty	Threat detections — severity, findings	ListDetectors, ListFindings, GetFindings

All calls are read-only. EchelonGraph never modifies, creates, or deletes any AWS resource.

Troubleshooting

Error	Cause	Fix
`AccessDenied` on AssumeRole	Trust policy doesn't match	Verify the Principal ARN and ExternalId in your trust policy
`ExpiredToken`	STS session expired	EchelonGraph automatically refreshes — retry the scan
`UnauthorizedAccess` on a specific API	Missing permission	Add the API action to your IAM policy
Connection test succeeds but scan returns 0 assets	Wrong region selected	Ensure the region in EchelonGraph matches where your resources are deployed
`InvalidIdentityToken`	Incorrect role ARN format	Role ARN must be `arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME`

Credential Rotation

Cross-Account Role: No rotation needed — STS tokens are short-lived (1 hour). Update the trust policy only if you change your EchelonGraph tenant ID.
Access Keys: Rotate every 90 days via IAM → Users → Security Credentials. Update the new keys in EchelonGraph Settings → Cloud Accounts.

EchelonGraph uses AWS STS AssumeRole — no long-lived access keys are required.

GCP Integration

What You Need

A GCP project with Cloud Asset Inventory API enabled
A read-only service account

Setup

Create a service account with read-only viewer roles
Register the cloud account in EchelonGraph, providing the service account credentials and project ID

Recommended: Use Workload Identity Federation for zero-secret authentication. With WIF, no service account key is ever generated, stored, or transmitted — the most secure integration model available.

Azure Integration

What You Need

An Azure AD App Registration with Reader role on your target subscriptions

Setup

Create an App Registration and Service Principal in Azure AD
Assign the Reader role on the subscriptions you want to scan
Register the cloud account in EchelonGraph, providing the tenant ID, client ID, and subscription ID

SSO — SAML 2.0

Connect your SAML 2.0 identity provider for single sign-on. Supported IdPs include Okta, Azure AD, OneLogin, and PingIdentity.

Setup

Create a SAML application in your IdP with the EchelonGraph ACS URL and audience URI (provided in your admin console)
Configure the integration in EchelonGraph with your IdP metadata URL
Enable automatic user provisioning and set a default role for new SSO users

SSO — OIDC

Connect any OpenID Connect provider for single sign-on. Supported providers include Google Workspace, Okta, Azure AD, Auth0, and Keycloak.

Setup

Create an OIDC client in your IdP with the EchelonGraph callback URL (provided in your admin console)
Configure the integration in EchelonGraph with your issuer URL, client ID, and client secret
Enable automatic user provisioning and group-to-role mapping

Uses PKCE (RFC 7636) for secure authorization code flow.

SSO — LDAP / Active Directory

Connect your corporate directory for centralized authentication. Supports LDAPS (TLS) and StartTLS for encrypted connections.

Setup

Configure the LDAP connection in EchelonGraph with your directory server details
Define user and group search bases for automatic discovery
Map LDAP groups to EchelonGraph roles for automatic role assignment
Test the connection before enabling for users

Webhook Integrations

Send real-time security events to Slack, PagerDuty, Jira, ServiceNow, or any HTTP endpoint:

Alert creation and resolution
Scan completions
Compliance score changes
Incident creation

All webhook payloads are cryptographically signed for verification, ensuring you can trust the source of every notification.

Previous← Compliance NextData Sovereignty →