Skip to main content

Connect AWS

Connect Your AWS Account(s) to Scytale

Updated over 2 weeks ago

Overview

The AWS integration connects your AWS account(s) to Scytale, enabling automated evidence collection for compliance monitoring across services such as CloudTrail, CloudWatch, DynamoDB, EC2, GuardDuty, and more. The integration supports both Single Account and Multiple Accounts connection flows.

Prerequisites

Before you begin, ensure you have:

  • AWS Console access with permissions to create CloudFormation stacks and IAM roles.

  • Your AWS Account ID(s) ready.

  • For multiple accounts: access to your AWS Management Account (the account with AWS Organizations enabled) and your Organization ID.

Connection Flow 1: Multiple Accounts

This flow allows you to connect multiple AWS accounts simultaneously using your AWS Organization ID.

Step 1 – Select Accounts

  1. In Scytale, navigate to Integrations → AWS.

  2. Click Connect.

  3. Select Multiple Accounts.

  4. Enter the following:

    • Organization ID – Found in your AWS Management Account.
      See Finding Your Organization ID below.

    • Account IDs – Copy all your Account IDs separated by commas and paste them directly into the field (e.g., 111111111111,222222222222,333333333333).

  5. Click Next.

Finding Your Organization ID

  1. Log in to the AWS account that has AWS Organizations enabled (your Management Account).

  2. In the AWS Console, search for and navigate to AWS Organizations.

  3. On the left sidebar, your Organization ID is displayed (format: o-xxxxxxxxxx).

Step 2 – Select Services & Regions

Select your desired regions and services, then verify the Summary at the bottom.

Step 3 – Grant Permissions

This step grants Scytale secure, read-only access across all your connected AWS accounts.

  1. Click Open AWS & Deploy CloudFormation (you need to be logged in to the management account to open the link). This opens the AWS Console and pre-loads a CloudFormation Quick Create Stack page.

  2. In the AWS Console, scroll down to the Capabilities section.

  3. Check the acknowledgment box: "I acknowledge that AWS CloudFormation might create IAM resources with custom names."

  4. Click Create Stack.

  5. Wait for the stack to finish deploying.

  6. Refresh the page until both resources show CREATE_COMPLETE:

    1. ScytaleRole — ✅ CREATE_COMPLETE

    2. ScytaleSecurityAudit — ✅ CREATE_COMPLETE

  7. Return to Scytale, check the confirmation box: "I confirm that I have successfully created the required CloudFormation stack in my AWS account."

  8. Click Save.

⚠️ Do not check the confirmation box until both resources show CREATE_COMPLETE. Stack creation typically takes 1–3 minutes.

🔒 Note: The IAM role created is read-only. Scytale cannot make changes to your AWS environment. You can review the full list of permissions in the CloudFormation template URL provided at the top of the Permissions step.

Managing Connections

After connecting, navigate to Integrations → AWS → Connections tab to:

  • View all connected accounts and their status (Connected / Error).

  • See which services and regions are active per account.

  • Add a Connection Name for easier identification.

  • Add new connections via + Add Connection.

  • Disconnect the integration if needed.

Security & Permissions

  • Scytale uses a read-only IAM role — no write or administrative access is granted.

  • All permissions are defined in the CloudFormation template, which you can review before deployment via the template URL shown in Step 3.

Connection Flow 2: Single Account

Step 1 – Select Accounts

  1. In Scytale, navigate to Integrations → AWS.

  2. Click Connect.

  3. In the Connect AWS Accounts dialog, select Single Account.

  4. Enter your AWS Account ID and click Next.

Step 2 – Select Services & Regions

  1. Under Select Regions, choose the AWS regions you want to monitor (e.g., us-east-1, us-east-2). You can select All regions or pick specific ones.

  2. Under Select Services, choose the AWS services to connect.

  3. Click Next when satisfied.

Step 3 – Grant Permissions (CloudFormation)

This step grants Scytale secure, read-only access to your AWS account.

  1. Click Open AWS & Deploy CloudFormation (you need to be logged in to the management account to open the link). This opens the AWS Console and pre-loads a CloudFormation Quick Create Stack page.

  2. In the AWS Console, scroll down to the Capabilities section.

  3. Check the acknowledgment box: "I acknowledge that AWS CloudFormation might create IAM resources with custom names."

  4. Click Create Stack.

  5. Wait for the stack to finish deploying. Refresh the page until both resources show CREATE_COMPLETE:

    1. ScytaleRole — ✅ CREATE_COMPLETE

    2. ScytaleSecurityAudit — ✅ CREATE_COMPLETE

  6. Return to Scytale, check the confirmation box: "I confirm that I have successfully created the required CloudFormation stack in my AWS account."

  7. Click Save.

⚠️ Do not check the confirmation box until both resources show CREATE_COMPLETE. Stack creation typically takes 1–3 minutes.

🔒 Note: The IAM role created is read-only. Scytale cannot make changes to your AWS environment. You can review the full list of permissions in the CloudFormation template URL provided at the top of the Permissions step.

Related Articles
AWS Integrations - User Guide
GCP Integrations - User Guide
AWS Cloudtrail - Connection Failed
AWS IAM - Not Connecting
AWS IAM Identity Center - Not Connecting
Did this answer your question?