Skip to content
Cased Documentation

AWS

Connect Cased to AWS to manage and monitor your cloud infrastructure

The fastest way to set up AWS access for Cased is using our CloudFormation template:

  1. Go to Cased - Navigate to https://app.cased.com/connections/aws
  2. Click Quick Connect AWS - This will launch the AWS Console with the template pre-filled
AWS Quick Connect button in Cased interface
  1. Create the stack - Follow the CloudFormation wizard to create the stack
  2. Get the Role ARN - Copy the Role ARN from the Outputs tab after stack creation
  3. Configure Cased - Paste the Role ARN and select your region in Cased’s connection settings
CloudFormation Template
AWSTemplateFormatVersion: "2010-09-09"
Description: "Cased Quick Connect - Creates IAM Role for AWS Infrastructure Scanning"


Parameters:
  RoleName:
    Type: String
    Default: CasedRole
    Description: Name of the IAM role that will be created


Resources:
  CasedInfraPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Policy for Cased to scan AWS infrastructure
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: VisualEditor0
            Effect: Allow
            Action:
              - autoscaling:Describe*
              - cloudformation:Describe*
              - cloudformation:ListStacks
              - cloudfront:ListDistributions
              - cloudtrail:DescribeTrails
              - cloudtrail:GetTrail
              - cloudtrail:GetTrailStatus
              - cloudtrail:LookupEvents
              - cloudwatch:GetMetricData
              - cloudwatch:GetMetricStatistics
              - cloudwatch:GetMetricWidgetImage
              - cloudwatch:ListMetrics
              - dynamodb:DescribeTable
              - dynamodb:ListTables
              - ec2:DescribeInstances
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - ecs:DescribeClusters
              - ecs:DescribeServices
              - ecs:DescribeTaskDefinition
              - ecs:DescribeTasks
              - ecs:ListClusters
              - ecs:ListServices
              - ecs:ListTasks
              - ecr:DescribeRepositories
              - ecr:GetLifecyclePolicy
              - ecr:GetRegistryScanningConfiguration
              - ecr:GetRepositoryPolicy
              - ecr:ListImages
              - ecr:ListTagsForResource
              - eks:ListClusters
              - eks:DescribeCluster
              - eks:ListNodegroups
              - elasticache:Describe*
              - elasticache:ListTagsForResource
              - elasticbeanstalk:DescribeEnvironments
              - elasticloadbalancing:DescribeLoadBalancers
              - iam:GetPolicy
              - iam:GetPolicyVersion
              - iam:GetRole
              - iam:ListAttachedRolePolicies
              - iam:ListPolicies
              - iam:ListRoles
              - iam:ListUsers
              - kms:DescribeKey
              - kms:ListKeys
              - lambda:ListFunctions
              - logs:DescribeLogStreams
              - logs:DescribeLogGroups
              - logs:GetLogEvents
              - logs:FilterLogEvents
              - rds:DescribeDBInstances
              - rds:DescribeDBSnapshots
              - rds:DescribeEvents
              - rds:ListTagsForResource
              - s3:GetBucketLifecycleConfiguration
              - s3:GetBucketLocation
              - s3:GetBucketPublicAccessBlock
              - s3:GetBucketTagging
              - s3:GetBucketVersioning
              - s3:GetEncryptionConfiguration
              - s3:GetObject
              - s3:ListAllMyBuckets
              - s3:ListBucket
              - sns:ListSubscriptions
              - sns:ListTopics
              - sqs:ListQueues
            Resource: "*"


  CasedInfraRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      Description: IAM role for Cased to work with AWS infrastructure
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::495860673956:root"
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CasedInfraPolicy


Outputs:
  RoleARN:
    Description: ARN of the created IAM role. Copy this value into Cased.
    Value: !GetAtt CasedInfraRole.Arn

Pulumi Setup

If you’re using Pulumi for infrastructure management, you can create the IAM role with this TypeScript code:

Pulumi TypeScript Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";


// Configuration
const config = new pulumi.Config();
const roleName = config.get("roleName") || "CasedRole";


// Create the policy document for Cased infrastructure scanning
const casedInfraPolicyDocument = aws.iam.getPolicyDocument({
  statements: [
    {
      sid: "VisualEditor0",
      effect: "Allow",
      actions: [
        "autoscaling:Describe*",
        "cloudformation:Describe*",
        "cloudformation:ListStacks",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:DescribeTasks",
        "ecs:ListClusters",
        "ecs:ListServices",
        "ecs:ListTasks",
        "ecr:DescribeRepositories",
        "ecr:GetLifecyclePolicy",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "ecr:ListTagsForResource",
        "eks:ListClusters",
        "eks:DescribeCluster",
        "eks:ListNodegroups",
        "elasticache:Describe*",
        "elasticache:ListTagsForResource",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticloadbalancing:DescribeLoadBalancers",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListRoles",
        "iam:ListUsers",
        "kms:DescribeKey",
        "kms:ListKeys",
        "lambda:ListFunctions",
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "rds:DescribeDBInstances",
        "rds:DescribeDBSnapshots",
        "rds:DescribeEvents",
        "rds:ListTagsForResource",
        "s3:GetBucketLifecycleConfiguration",
        "s3:GetBucketLocation",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetEncryptionConfiguration",
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "sns:ListSubscriptions",
        "sns:ListTopics",
        "sqs:ListQueues",
      ],
      resources: ["*"],
    },
  ],
});


// Create the managed policy for Cased infrastructure scanning
const casedInfraPolicy = new aws.iam.Policy("CasedInfraPolicy", {
  description: "Policy for Cased to scan AWS infrastructure",
  policy: casedInfraPolicyDocument.then((doc) => doc.json),
});


// Create the IAM role for Cased
const casedInfraRole = new aws.iam.Role("CasedInfraRole", {
  name: roleName,
  description: "IAM role for Cased to work with AWS infrastructure",
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::495860673956:root",
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [casedInfraPolicy.arn],
});


export const roleArn = casedInfraRole.arn;
export const roleName_output = casedInfraRole.name;
export const policyArn = casedInfraPolicy.arn;

After running pulumi up, copy the roleArn output value and paste it into Cased’s AWS connection settings.

Manual Setup

If you prefer to set up the IAM role manually:

  1. In your AWS Management Console go to the IAM service

  2. Create IAM Policy under Policies create a new policy in the JSON editor.

  3. Paste this JSON into the policy editor and name is CasedPolicy.

    CasedPolicy
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:Describe*",
            "cloudformation:Describe*",
            "cloudformation:ListStacks",
            "cloudfront:ListDistributions",
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetTrail",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:LookupEvents",
            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:GetMetricWidgetImage",
            "cloudwatch:ListMetrics",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "ec2:DescribeInstances",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "ecs:DescribeClusters",
            "ecs:DescribeServices",
            "ecs:DescribeTaskDefinition",
            "ecs:DescribeTasks",
            "ecs:ListClusters",
            "ecs:ListServices",
            "ecs:ListTasks",
            "ecr:DescribeRepositories",
            "ecr:GetLifecyclePolicy",
            "ecr:GetRegistryScanningConfiguration",
            "ecr:GetRepositoryPolicy",
            "ecr:ListImages",
            "ecr:ListTagsForResource",
            "eks:ListClusters",
            "eks:DescribeCluster",
            "eks:ListNodegroups",
            "elasticache:Describe*",
            "elasticache:ListTagsForResource",
            "elasticbeanstalk:DescribeEnvironments",
            "elasticloadbalancing:DescribeLoadBalancers",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListPolicies",
            "iam:ListRoles",
            "iam:ListUsers",
            "kms:DescribeKey",
            "kms:ListKeys",
            "lambda:ListFunctions",
            "logs:DescribeLogStreams",
            "logs:DescribeLogGroups",
            "logs:GetLogEvents",
            "logs:FilterLogEvents",
            "rds:DescribeDBInstances",
            "rds:DescribeDBSnapshots",
            "rds:DescribeEvents",
            "rds:ListTagsForResource",
            "s3:GetBucketLifecycleConfiguration",
            "s3:GetBucketLocation",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketTagging",
            "s3:GetBucketVersioning",
            "s3:GetEncryptionConfiguration",
            "s3:GetObject",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "sns:ListSubscriptions",
            "sns:ListTopics",
            "sqs:ListQueues"
          ],
          "Resource": "*"
        }
      ]
    }

  4. Create IAM Role

    • Open IAM in AWS Console
    • Go to Roles → Create role
    • Choose “AWS account” as trusted entity type
    • Enter Cased account ID: 495860673956
    • Attach the policy you created
    • Name the role (e.g., CasedRole)

  5. Almost done! Configure Cased:

    • Copy your Role ARN from the role summary page
    • Format: arn:aws:iam::<YOUR_ACCOUNT_ID>:role/CasedRole
    • Paste the ARN in Cased’s AWS connection settings
    • Select your AWS region