AWS
Connect Cased to AWS to manage and monitor your cloud infrastructure
Quick Connect (Recommended)
The fastest way to set up AWS access for Cased is using our CloudFormation template:
- Go to Cased - Navigate to https://app.cased.com/connections/aws
- Click Quick Connect AWS - This will launch the AWS Console with the template pre-filled

- Create the stack - Follow the CloudFormation wizard to create the stack
- Get the Role ARN - Copy the Role ARN from the Outputs tab after stack creation
- Configure Cased - Paste the Role ARN and select your region in Cased’s connection settings
CloudFormation Template
AWSTemplateFormatVersion: "2010-09-09"Description: "Cased Quick Connect - Creates IAM Role for AWS Infrastructure Scanning"
Parameters: RoleName: Type: String Default: CasedRole Description: Name of the IAM role that will be created
Resources: CasedInfraPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: Policy for Cased to scan AWS infrastructure PolicyDocument: Version: "2012-10-17" Statement: - Sid: VisualEditor0 Effect: Allow Action: - autoscaling:Describe* - cloudformation:Describe* - cloudformation:ListStacks - cloudfront:ListDistributions - cloudtrail:DescribeTrails - cloudtrail:GetTrail - cloudtrail:GetTrailStatus - cloudtrail:LookupEvents - cloudwatch:GetMetricData - cloudwatch:GetMetricStatistics - cloudwatch:GetMetricWidgetImage - cloudwatch:ListMetrics - dynamodb:DescribeTable - dynamodb:ListTables - ec2:DescribeInstances - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - ecs:DescribeClusters - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTasks - ecs:ListClusters - ecs:ListServices - ecs:ListTasks - ecr:DescribeRepositories - ecr:GetLifecyclePolicy - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListImages - ecr:ListTagsForResource - eks:ListClusters - eks:DescribeCluster - eks:ListNodegroups - elasticache:Describe* - elasticache:ListTagsForResource - elasticbeanstalk:DescribeEnvironments - elasticloadbalancing:DescribeLoadBalancers - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListPolicies - iam:ListRoles - iam:ListUsers - kms:DescribeKey - kms:ListKeys - lambda:ListFunctions - logs:DescribeLogStreams - logs:DescribeLogGroups - logs:GetLogEvents - logs:FilterLogEvents - rds:DescribeDBInstances - rds:DescribeDBSnapshots - rds:DescribeEvents - rds:ListTagsForResource - s3:GetBucketLifecycleConfiguration - s3:GetBucketLocation - s3:GetBucketPublicAccessBlock - s3:GetBucketTagging - s3:GetBucketVersioning - s3:GetEncryptionConfiguration - s3:GetObject - s3:ListAllMyBuckets - s3:ListBucket - sns:ListSubscriptions - sns:ListTopics - sqs:ListQueues Resource: "*"
CasedInfraRole: Type: AWS::IAM::Role Properties: RoleName: !Ref RoleName Description: IAM role for Cased to work with AWS infrastructure AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: "arn:aws:iam::495860673956:root" Action: "sts:AssumeRole" ManagedPolicyArns: - !Ref CasedInfraPolicy
Outputs: RoleARN: Description: ARN of the created IAM role. Copy this value into Cased. Value: !GetAtt CasedInfraRole.Arn
Pulumi Setup
If you’re using Pulumi for infrastructure management, you can create the IAM role with this TypeScript code:
Pulumi TypeScript Example
import * as pulumi from "@pulumi/pulumi";import * as aws from "@pulumi/aws";
// Configurationconst config = new pulumi.Config();const roleName = config.get("roleName") || "CasedRole";
// Create the policy document for Cased infrastructure scanningconst casedInfraPolicyDocument = aws.iam.getPolicyDocument({ statements: [ { sid: "VisualEditor0", effect: "Allow", actions: [ "autoscaling:Describe*", "cloudformation:Describe*", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricWidgetImage", "cloudwatch:ListMetrics", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTasks", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRegistryScanningConfiguration", "ecr:GetRepositoryPolicy", "ecr:ListImages", "ecr:ListTagsForResource", "eks:ListClusters", "eks:DescribeCluster", "eks:ListNodegroups", "elasticache:Describe*", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeEnvironments", "elasticloadbalancing:DescribeLoadBalancers", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListPolicies", "iam:ListRoles", "iam:ListUsers", "kms:DescribeKey", "kms:ListKeys", "lambda:ListFunctions", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:GetLogEvents", "logs:FilterLogEvents", "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:DescribeEvents", "rds:ListTagsForResource", "s3:GetBucketLifecycleConfiguration", "s3:GetBucketLocation", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:ListSubscriptions", "sns:ListTopics", "sqs:ListQueues", ], resources: ["*"], }, ],});
// Create the managed policy for Cased infrastructure scanningconst casedInfraPolicy = new aws.iam.Policy("CasedInfraPolicy", { description: "Policy for Cased to scan AWS infrastructure", policy: casedInfraPolicyDocument.then((doc) => doc.json),});
// Create the IAM role for Casedconst casedInfraRole = new aws.iam.Role("CasedInfraRole", { name: roleName, description: "IAM role for Cased to work with AWS infrastructure", assumeRolePolicy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS: "arn:aws:iam::495860673956:root", }, Action: "sts:AssumeRole", }, ], }), managedPolicyArns: [casedInfraPolicy.arn],});
export const roleArn = casedInfraRole.arn;export const roleName_output = casedInfraRole.name;export const policyArn = casedInfraPolicy.arn;
After running pulumi up
, copy the roleArn
output value and paste it into Cased’s AWS connection settings.
Manual Setup
If you prefer to set up the IAM role manually:
-
In your AWS Management Console go to the IAM service
-
Create IAM Policy under Policies create a new policy in the JSON editor.
-
Paste this JSON into the policy editor and name is
CasedPolicy
.CasedPolicy {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["autoscaling:Describe*","cloudformation:Describe*","cloudformation:ListStacks","cloudfront:ListDistributions","cloudtrail:DescribeTrails","cloudtrail:GetTrail","cloudtrail:GetTrailStatus","cloudtrail:LookupEvents","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:GetMetricWidgetImage","cloudwatch:ListMetrics","dynamodb:DescribeTable","dynamodb:ListTables","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","ec2:DescribeVpcs","ecs:DescribeClusters","ecs:DescribeServices","ecs:DescribeTaskDefinition","ecs:DescribeTasks","ecs:ListClusters","ecs:ListServices","ecs:ListTasks","ecr:DescribeRepositories","ecr:GetLifecyclePolicy","ecr:GetRegistryScanningConfiguration","ecr:GetRepositoryPolicy","ecr:ListImages","ecr:ListTagsForResource","eks:ListClusters","eks:DescribeCluster","eks:ListNodegroups","elasticache:Describe*","elasticache:ListTagsForResource","elasticbeanstalk:DescribeEnvironments","elasticloadbalancing:DescribeLoadBalancers","iam:GetPolicy","iam:GetPolicyVersion","iam:GetRole","iam:ListAttachedRolePolicies","iam:ListPolicies","iam:ListRoles","iam:ListUsers","kms:DescribeKey","kms:ListKeys","lambda:ListFunctions","logs:DescribeLogStreams","logs:DescribeLogGroups","logs:GetLogEvents","logs:FilterLogEvents","rds:DescribeDBInstances","rds:DescribeDBSnapshots","rds:DescribeEvents","rds:ListTagsForResource","s3:GetBucketLifecycleConfiguration","s3:GetBucketLocation","s3:GetBucketPublicAccessBlock","s3:GetBucketTagging","s3:GetBucketVersioning","s3:GetEncryptionConfiguration","s3:GetObject","s3:ListAllMyBuckets","s3:ListBucket","sns:ListSubscriptions","sns:ListTopics","sqs:ListQueues"],"Resource": "*"}]} -
Create IAM Role
- Open IAM in AWS Console
- Go to Roles → Create role
- Choose “AWS account” as trusted entity type
- Enter Cased account ID:
495860673956
- Attach the policy you created
- Name the role (e.g.,
CasedRole
)
-
Almost done! Configure Cased:
- Copy your Role ARN from the role summary page
- Format:
arn:aws:iam::<YOUR_ACCOUNT_ID>:role/CasedRole
- Paste the ARN in Cased’s AWS connection settings
- Select your AWS region