AWS Integration - LowerPlane Documentation

Overview

LowerPlane connects to AWS using IAM access keys with read-only permissions. This guide walks you through creating a dedicated IAM user, attaching a minimal read-only policy, and connecting it to LowerPlane.

Services Monitored

AWS Service	What LowerPlane Collects
IAM	Users, roles, policies, MFA status, access key rotation
Security Hub	Aggregated security findings across all enabled standards
AWS Config	Resource configuration history and compliance evaluations
CloudTrail	API activity logs for audit trail evidence
GuardDuty	Threat detection findings and anomalous activity
Inspector	Vulnerability findings for EC2 instances and container images
ECR	Container image scan results
S3	Bucket encryption, public access, versioning, logging
EC2	Security groups, network ACLs, VPC flow logs
RDS	Database encryption, backup, public access settings
ECS / EKS	Container and Kubernetes cluster configurations
KMS	Key management and encryption settings
Lambda	Function configurations and permissions

Step 1: Open AWS IAM Console

Open the AWS IAM Console: https://console.aws.amazon.com/iam/

Login using an AWS Administrator or Root account
From the left sidebar select Users

Step 2: Create New User

Click Create user. Enter a username:

lowerplane-readonly-user

Configuration:

Disable AWS Management Console access unless required
Programmatic access is enough for integrations

Click Next.

Step 3: Create User Without Policies

Do not attach any managed policies at this stage. Click Next, then Create user.

Step 4: Open the Created User

After user creation:

Open the created IAM user
Go to Permissions
Click Add permissions

Step 5: Create Inline Policy

Choose Create inline policy. Select JSON. Delete the existing sample JSON and paste the following LowerPlane read-only IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "lowerPlaneReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:Get*",
                "access-analyzer:List*",
                "account:Get*",
                "account:List*",
                "acm:Describe*",
                "acm:Get*",
                "acm:List*",
                "application-autoscaling:Describe*",
                "autoscaling:Describe*",
                "cloudtrail:Describe*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "codecommit:BatchGet*",
                "codecommit:Get*",
                "codecommit:GitPull",
                "codecommit:List*",
                "config:BatchGet*",
                "config:Describe*",
                "config:Get*",
                "config:List*",
                "docdb:Describe*",
                "docdb:ListTagsForResource",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "ec2:Get*",
                "ecr:BatchGet*",
                "ecr:Describe*",
                "ecr:Get*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "efs:Describe*",
                "eks:Describe*",
                "eks:List*",
                "elasticloadbalancing:Describe*",
                "guardduty:Get*",
                "guardduty:List*",
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*",
                "identitystore:Describe*",
                "identitystore:Get*",
                "identitystore:List*",
                "inspector2:BatchGet*",
                "inspector2:Get*",
                "inspector2:List*",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "lambda:Get*",
                "lambda:List*",
                "organizations:Describe*",
                "organizations:List*",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "route53:Get*",
                "route53:List*",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketVersioning",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:ListAllMyBuckets",
                "securityhub:Describe*",
                "securityhub:Get*",
                "securityhub:List*",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListQueues",
                "tag:GetResources"
            ],
            "Resource": "*"
        }
    ]
}

Click Next. Policy name:

lowerplane-readonly-inline-policy

Click Create policy.

Step 6: Create Access Key

After attaching the inline policy:

Open the IAM user
Go to Security credentials
Scroll to Access keys
Click Create access key

Choose Third-party service. Accept the confirmation checkbox. Click Next, then Create access key.

Step 7: Save Credentials

AWS will generate:

Access Key ID: AKIAXXXXXXXXXXXXX
Secret Access Key: abc123xxxxxxxx

Important: Save the Secret Access Key immediately. AWS will not show it again.

Step 8: Connect in LowerPlane

Go to Integrations in LowerPlane
Find AWS and click Connect
Enter the Access Key ID and Secret Access Key
Click Connect

LowerPlane will validate the credentials and begin the first sync automatically. The initial sync may take several minutes depending on the size of your AWS account.

Multi-Account Setup

For organizations with multiple AWS accounts:

Connect each account individually with its own IAM user and access keys
Or use an organization-level IAM role with sts:AssumeRole permissions for member accounts

Prioritize connecting production accounts first — these are the accounts auditors focus on.

Automated Tests

When AWS is connected, LowerPlane automatically creates and runs tests including:

MFA is enabled for all IAM users with console access
Root account access keys are disabled
CloudTrail is enabled in all regions
S3 buckets are not publicly accessible
S3 bucket encryption is enabled
VPC flow logging is enabled
Security groups do not allow unrestricted inbound access
IAM password policy meets minimum requirements
Access keys are rotated within 90 days

​Overview

​Services Monitored

​Step 1: Open AWS IAM Console

​Step 2: Create New User

​Step 3: Create User Without Policies

​Step 4: Open the Created User

​Step 5: Create Inline Policy

​Step 6: Create Access Key

​Step 7: Save Credentials

​Step 8: Connect in LowerPlane

​Multi-Account Setup

​Automated Tests