Skip to content

AWS Setup

LightPane connects to your AWS account using a cross-account IAM role. This is the same pattern used by Datadog, Wiz, Vanta, and every major cloud SaaS integration. LightPane never stores AWS credentials — it uses temporary STS credentials that expire automatically.

What gets created

A single IAM role in your AWS account with:

  • Trust policy — allows the LightPane AWS account to assume the role
  • Permission policy — the AWS managed SecurityAudit policy (read-only)
  • External ID — a unique identifier generated by LightPane to prevent confused deputy attacks

The role can only read configuration and metadata. It cannot create, modify, or delete any resource in your account.

Setup with CloudFormation

The fastest way to create the role. LightPane provides a CloudFormation template.

  1. Log in to app.lightpane.cloud
  2. Go to Cloud Accounts and click Link AWS Account
  3. LightPane displays your unique External ID and a Launch Stack button
  4. Click the button — it opens the AWS CloudFormation console with the template pre-filled
  5. Confirm and create the stack
  6. Copy the Role ARN from the stack outputs back into LightPane

The template creates this role:

AWSTemplateFormatVersion: '2010-09-09'
Description: LightPane read-only access role

Parameters:
  LightPaneAccountId:
    Type: String
    Description: LightPane platform AWS account ID
  ExternalId:
    Type: String
    Description: Unique External ID from your LightPane account

Resources:
  LightPaneReaderRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: LightPaneReader
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${LightPaneAccountId}:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'

Outputs:
  RoleArn:
    Value: !GetAtt LightPaneReaderRole.Arn

Manual setup

If you prefer to create the role manually or via CLI:

aws iam create-role \
  --role-name LightPaneReader \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::LIGHTPANE_ACCOUNT_ID:root"},
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }]
  }'

aws iam attach-role-policy \
  --role-name LightPaneReader \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Replace LIGHTPANE_ACCOUNT_ID and YOUR_EXTERNAL_ID with the values shown in your LightPane account.

Multi-account setup with StackSets

For AWS Organizations with many accounts, deploy the role across all accounts using CloudFormation StackSets:

  1. Deploy the LightPane CloudFormation template as a StackSet from your management account
  2. Target the entire Organization or specific OUs
  3. Enable auto-deployment so new accounts added to the OU get the role automatically
  4. Use a single External ID per Organization

StackSets support drift detection — if someone modifies the role, StackSets can detect and remediate the change.

The SecurityAudit policy

arn:aws:iam::aws:policy/SecurityAudit is an AWS managed policy that grants read-only access to security and configuration data across 40+ services. It includes Get*, List*, and Describe* actions.

Key properties:

  • Read-only — no create, update, or delete permissions
  • Maintained by AWS — updated regularly as new services launch
  • Used industry-wide — the standard policy for compliance and security tooling
  • Does not include s3:GetObject — LightPane can list your buckets and their configuration but cannot read the contents of your files

The External ID

The External ID prevents confused deputy attacks. LightPane generates a unique ID for each cloud account you link. It is included as a condition in the role's trust policy, ensuring that only LightPane — with the correct External ID — can assume the role.

External ID is not a secret

The External ID is a unique identifier, not an authentication credential. It prevents one LightPane customer from tricking the platform into assuming another customer's role. It does not need to be kept confidential.

Supported regions

LightPane discovers resources in any AWS region. Specify the region in your service requests or access key configuration.

Common regions:

Region Location
eu-west-1 Ireland
eu-west-2 London
eu-central-1 Frankfurt
us-east-1 N. Virginia
us-east-2 Ohio
us-west-2 Oregon
ap-southeast-1 Singapore
ap-northeast-1 Tokyo

Revoking access

Delete the IAM role in your AWS account at any time. LightPane immediately loses access. No action is needed on the LightPane side — the next discovery request will fail with an AccessDenied error, which LightPane handles gracefully.