Skip to content

AWS

Connect Cased to AWS to manage and monitor your cloud infrastructure

The fastest way to set up AWS access for Cased is using our CloudFormation template:

  1. Go to Cased - Navigate to https://app.cased.com/connections/aws
  2. Click Quick Connect AWS - This will launch the AWS Console with the template pre-filled
AWS Quick Connect button in Cased interface
  1. Create the stack - Follow the CloudFormation wizard to create the stack
  2. Get the Role ARN - Copy the Role ARN from the Outputs tab after stack creation
  3. Configure Cased - Paste the Role ARN and select your region in Cased’s connection settings
CloudFormation Template
AWSTemplateFormatVersion: "2010-09-09"
Description: "Cased Quick Connect - Creates IAM Role for AWS Infrastructure Scanning"
Parameters:
RoleName:
Type: String
Default: CasedRole
Description: Name of the IAM role that will be created
Resources:
CasedInfraPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Policy for Cased to scan AWS infrastructure
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- autoscaling:Describe*
- cloudformation:Describe*
- cloudformation:ListStacks
- cloudfront:ListDistributions
- cloudtrail:DescribeTrails
- cloudtrail:GetTrail
- cloudtrail:GetTrailStatus
- cloudtrail:LookupEvents
- cloudwatch:GetMetricData
- cloudwatch:GetMetricStatistics
- cloudwatch:GetMetricWidgetImage
- cloudwatch:ListMetrics
- dynamodb:DescribeTable
- dynamodb:ListTables
- ec2:DescribeInstances
- ec2:DescribeNetworkInterfaces
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVpcs
- ecs:DescribeClusters
- ecs:DescribeServices
- ecs:DescribeTaskDefinition
- ecs:DescribeTasks
- ecs:ListClusters
- ecs:ListServices
- ecs:ListTasks
- ecr:DescribeRepositories
- ecr:GetLifecyclePolicy
- ecr:GetRegistryScanningConfiguration
- ecr:GetRepositoryPolicy
- ecr:ListImages
- ecr:ListTagsForResource
- eks:ListClusters
- eks:DescribeCluster
- eks:ListNodegroups
- elasticache:Describe*
- elasticache:ListTagsForResource
- elasticbeanstalk:DescribeEnvironments
- elasticloadbalancing:DescribeLoadBalancers
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRole
- iam:ListAttachedRolePolicies
- iam:ListPolicies
- iam:ListRoles
- iam:ListUsers
- kms:DescribeKey
- kms:ListKeys
- lambda:ListFunctions
- logs:DescribeLogStreams
- logs:DescribeLogGroups
- logs:GetLogEvents
- logs:FilterLogEvents
- rds:DescribeDBInstances
- rds:DescribeDBSnapshots
- rds:DescribeEvents
- rds:ListTagsForResource
- s3:GetBucketLifecycleConfiguration
- s3:GetBucketLocation
- s3:GetBucketPublicAccessBlock
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetEncryptionConfiguration
- s3:GetObject
- s3:ListAllMyBuckets
- s3:ListBucket
- sns:ListSubscriptions
- sns:ListTopics
- sqs:ListQueues
Resource: "*"
CasedInfraRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
Description: IAM role for Cased to work with AWS infrastructure
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "arn:aws:iam::495860673956:root"
Action: "sts:AssumeRole"
ManagedPolicyArns:
- !Ref CasedInfraPolicy
Outputs:
RoleARN:
Description: ARN of the created IAM role. Copy this value into Cased.
Value: !GetAtt CasedInfraRole.Arn

Pulumi Setup

If you’re using Pulumi for infrastructure management, you can create the IAM role with this TypeScript code:

Pulumi TypeScript Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Configuration
const config = new pulumi.Config();
const roleName = config.get("roleName") || "CasedRole";
// Create the policy document for Cased infrastructure scanning
const casedInfraPolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
sid: "VisualEditor0",
effect: "Allow",
actions: [
"autoscaling:Describe*",
"cloudformation:Describe*",
"cloudformation:ListStacks",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricWidgetImage",
"cloudwatch:ListMetrics",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTasks",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource",
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"elasticache:Describe*",
"elasticache:ListTagsForResource",
"elasticbeanstalk:DescribeEnvironments",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUsers",
"kms:DescribeKey",
"kms:ListKeys",
"lambda:ListFunctions",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DescribeEvents",
"rds:ListTagsForResource",
"s3:GetBucketLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sns:ListSubscriptions",
"sns:ListTopics",
"sqs:ListQueues",
],
resources: ["*"],
},
],
});
// Create the managed policy for Cased infrastructure scanning
const casedInfraPolicy = new aws.iam.Policy("CasedInfraPolicy", {
description: "Policy for Cased to scan AWS infrastructure",
policy: casedInfraPolicyDocument.then((doc) => doc.json),
});
// Create the IAM role for Cased
const casedInfraRole = new aws.iam.Role("CasedInfraRole", {
name: roleName,
description: "IAM role for Cased to work with AWS infrastructure",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::495860673956:root",
},
Action: "sts:AssumeRole",
},
],
}),
managedPolicyArns: [casedInfraPolicy.arn],
});
export const roleArn = casedInfraRole.arn;
export const roleName_output = casedInfraRole.name;
export const policyArn = casedInfraPolicy.arn;

After running pulumi up, copy the roleArn output value and paste it into Cased’s AWS connection settings.

Manual Setup

If you prefer to set up the IAM role manually:

  1. In your AWS Management Console go to the IAM service

  2. Create IAM Policy under Policies create a new policy in the JSON editor.

  3. Paste this JSON into the policy editor and name is CasedPolicy.

    CasedPolicy
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "autoscaling:Describe*",
    "cloudformation:Describe*",
    "cloudformation:ListStacks",
    "cloudfront:ListDistributions",
    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrail",
    "cloudtrail:GetTrailStatus",
    "cloudtrail:LookupEvents",
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:GetMetricWidgetImage",
    "cloudwatch:ListMetrics",
    "dynamodb:DescribeTable",
    "dynamodb:ListTables",
    "ec2:DescribeInstances",
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSubnets",
    "ec2:DescribeVpcs",
    "ecs:DescribeClusters",
    "ecs:DescribeServices",
    "ecs:DescribeTaskDefinition",
    "ecs:DescribeTasks",
    "ecs:ListClusters",
    "ecs:ListServices",
    "ecs:ListTasks",
    "ecr:DescribeRepositories",
    "ecr:GetLifecyclePolicy",
    "ecr:GetRegistryScanningConfiguration",
    "ecr:GetRepositoryPolicy",
    "ecr:ListImages",
    "ecr:ListTagsForResource",
    "eks:ListClusters",
    "eks:DescribeCluster",
    "eks:ListNodegroups",
    "elasticache:Describe*",
    "elasticache:ListTagsForResource",
    "elasticbeanstalk:DescribeEnvironments",
    "elasticloadbalancing:DescribeLoadBalancers",
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:GetRole",
    "iam:ListAttachedRolePolicies",
    "iam:ListPolicies",
    "iam:ListRoles",
    "iam:ListUsers",
    "kms:DescribeKey",
    "kms:ListKeys",
    "lambda:ListFunctions",
    "logs:DescribeLogStreams",
    "logs:DescribeLogGroups",
    "logs:GetLogEvents",
    "logs:FilterLogEvents",
    "rds:DescribeDBInstances",
    "rds:DescribeDBSnapshots",
    "rds:DescribeEvents",
    "rds:ListTagsForResource",
    "s3:GetBucketLifecycleConfiguration",
    "s3:GetBucketLocation",
    "s3:GetBucketPublicAccessBlock",
    "s3:GetBucketTagging",
    "s3:GetBucketVersioning",
    "s3:GetEncryptionConfiguration",
    "s3:GetObject",
    "s3:ListAllMyBuckets",
    "s3:ListBucket",
    "sns:ListSubscriptions",
    "sns:ListTopics",
    "sqs:ListQueues"
    ],
    "Resource": "*"
    }
    ]
    }
  4. Create IAM Role

    • Open IAM in AWS Console
    • Go to Roles → Create role
    • Choose “AWS account” as trusted entity type
    • Enter Cased account ID: 495860673956
    • Attach the policy you created
    • Name the role (e.g., CasedRole)
  5. Almost done! Configure Cased:

    • Copy your Role ARN from the role summary page
    • Format: arn:aws:iam::<YOUR_ACCOUNT_ID>:role/CasedRole
    • Paste the ARN in Cased’s AWS connection settings
    • Select your AWS region