AWS
Connect Cased to AWS to manage and monitor your cloud infrastructure
Quick Connect (Recommended)
Section titled “Quick Connect (Recommended)”The fastest way to set up AWS access for Cased is using our CloudFormation template:
- Go to Cased - Navigate to https://app.cased.com/connections/aws
- Click Quick Connect AWS - This will launch the AWS Console with the template pre-filled

- Create the stack - Follow the CloudFormation wizard to create the stack
- Get the Role ARN - Copy the Role ARN from the Outputs tab after stack creation
- Configure Cased - Paste the Role ARN and select your region in Cased’s connection settings
CloudFormation Template
AWSTemplateFormatVersion: "2010-09-09"Description: "Cased Quick Connect - Creates IAM Role for AWS Infrastructure Scanning"
Parameters: RoleName: Type: String Default: CasedRole Description: Name of the IAM role that will be created
Resources: CasedInfraPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: Policy for Cased to scan AWS infrastructure PolicyDocument: Version: "2012-10-17" Statement: - Sid: VisualEditor0 Effect: Allow Action: - autoscaling:Describe* - cloudformation:Describe* - cloudformation:ListStacks - cloudfront:ListDistributions - cloudtrail:DescribeTrails - cloudtrail:GetTrail - cloudtrail:GetTrailStatus - cloudtrail:LookupEvents - cloudwatch:GetMetricData - cloudwatch:GetMetricStatistics - cloudwatch:GetMetricWidgetImage - cloudwatch:ListMetrics - dynamodb:DescribeTable - dynamodb:ListTables - ec2:DescribeInstances - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - ecs:DescribeClusters - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTasks - ecs:ListClusters - ecs:ListServices - ecs:ListTasks - ecr:DescribeRepositories - ecr:GetLifecyclePolicy - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListImages - ecr:ListTagsForResource - eks:ListClusters - eks:DescribeCluster - eks:ListNodegroups - elasticache:Describe* - elasticache:ListTagsForResource - elasticbeanstalk:DescribeEnvironments - elasticloadbalancing:DescribeLoadBalancers - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListPolicies - iam:ListRoles - iam:ListUsers - kms:DescribeKey - kms:ListKeys - lambda:ListFunctions - logs:DescribeLogStreams - logs:DescribeLogGroups - logs:GetLogEvents - logs:FilterLogEvents - rds:DescribeDBInstances - rds:DescribeDBSnapshots - rds:DescribeEvents - rds:ListTagsForResource - s3:GetBucketLifecycleConfiguration - s3:GetBucketLocation - s3:GetBucketPublicAccessBlock - s3:GetBucketTagging - s3:GetBucketVersioning - s3:GetEncryptionConfiguration - s3:GetObject - s3:ListAllMyBuckets - s3:ListBucket - sns:ListSubscriptions - sns:ListTopics - sqs:ListQueues Resource: "*"
CasedInfraRole: Type: AWS::IAM::Role Properties: RoleName: !Ref RoleName Description: IAM role for Cased to work with AWS infrastructure AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: "arn:aws:iam::495860673956:root" Action: "sts:AssumeRole" ManagedPolicyArns: - !Ref CasedInfraPolicy
Outputs: RoleARN: Description: ARN of the created IAM role. Copy this value into Cased. Value: !GetAtt CasedInfraRole.Arn
Pulumi Setup
Section titled “Pulumi Setup”If you’re using Pulumi for infrastructure management, you can create the IAM role with this TypeScript code:
Pulumi TypeScript Example
import * as pulumi from "@pulumi/pulumi";import * as aws from "@pulumi/aws";
// Configurationconst config = new pulumi.Config();const roleName = config.get("roleName") || "CasedRole";
// Create the policy document for Cased infrastructure scanningconst casedInfraPolicyDocument = aws.iam.getPolicyDocument({ statements: [ { sid: "VisualEditor0", effect: "Allow", actions: [ "autoscaling:Describe*", "cloudformation:Describe*", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricWidgetImage", "cloudwatch:ListMetrics", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTasks", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRegistryScanningConfiguration", "ecr:GetRepositoryPolicy", "ecr:ListImages", "ecr:ListTagsForResource", "eks:ListClusters", "eks:DescribeCluster", "eks:ListNodegroups", "elasticache:Describe*", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeEnvironments", "elasticloadbalancing:DescribeLoadBalancers", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListPolicies", "iam:ListRoles", "iam:ListUsers", "kms:DescribeKey", "kms:ListKeys", "lambda:ListFunctions", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:GetLogEvents", "logs:FilterLogEvents", "rds:DescribeDBInstances", "rds:DescribeDBSnapshots", "rds:DescribeEvents", "rds:ListTagsForResource", "s3:GetBucketLifecycleConfiguration", "s3:GetBucketLocation", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:ListSubscriptions", "sns:ListTopics", "sqs:ListQueues", ], resources: ["*"], }, ],});
// Create the managed policy for Cased infrastructure scanningconst casedInfraPolicy = new aws.iam.Policy("CasedInfraPolicy", { description: "Policy for Cased to scan AWS infrastructure", policy: casedInfraPolicyDocument.then((doc) => doc.json),});
// Create the IAM role for Casedconst casedInfraRole = new aws.iam.Role("CasedInfraRole", { name: roleName, description: "IAM role for Cased to work with AWS infrastructure", assumeRolePolicy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS: "arn:aws:iam::495860673956:root", }, Action: "sts:AssumeRole", }, ], }), managedPolicyArns: [casedInfraPolicy.arn],});
export const roleArn = casedInfraRole.arn;export const roleName_output = casedInfraRole.name;export const policyArn = casedInfraPolicy.arn;
After running pulumi up
, copy the roleArn
output value and paste it into Cased’s AWS connection settings.
Manual Setup
Section titled “Manual Setup”If you prefer to set up the IAM role manually:
-
In your AWS Management Console go to the IAM service
-
Create IAM Policy under Policies create a new policy in the JSON editor.
-
Paste this JSON into the policy editor and name is
CasedPolicy
.CasedPolicy {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["autoscaling:Describe*","cloudformation:Describe*","cloudformation:ListStacks","cloudfront:ListDistributions","cloudtrail:DescribeTrails","cloudtrail:GetTrail","cloudtrail:GetTrailStatus","cloudtrail:LookupEvents","cloudwatch:GetMetricData","cloudwatch:GetMetricStatistics","cloudwatch:GetMetricWidgetImage","cloudwatch:ListMetrics","dynamodb:DescribeTable","dynamodb:ListTables","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","ec2:DescribeVpcs","ecs:DescribeClusters","ecs:DescribeServices","ecs:DescribeTaskDefinition","ecs:DescribeTasks","ecs:ListClusters","ecs:ListServices","ecs:ListTasks","ecr:DescribeRepositories","ecr:GetLifecyclePolicy","ecr:GetRegistryScanningConfiguration","ecr:GetRepositoryPolicy","ecr:ListImages","ecr:ListTagsForResource","eks:ListClusters","eks:DescribeCluster","eks:ListNodegroups","elasticache:Describe*","elasticache:ListTagsForResource","elasticbeanstalk:DescribeEnvironments","elasticloadbalancing:DescribeLoadBalancers","iam:GetPolicy","iam:GetPolicyVersion","iam:GetRole","iam:ListAttachedRolePolicies","iam:ListPolicies","iam:ListRoles","iam:ListUsers","kms:DescribeKey","kms:ListKeys","lambda:ListFunctions","logs:DescribeLogStreams","logs:DescribeLogGroups","logs:GetLogEvents","logs:FilterLogEvents","rds:DescribeDBInstances","rds:DescribeDBSnapshots","rds:DescribeEvents","rds:ListTagsForResource","s3:GetBucketLifecycleConfiguration","s3:GetBucketLocation","s3:GetBucketPublicAccessBlock","s3:GetBucketTagging","s3:GetBucketVersioning","s3:GetEncryptionConfiguration","s3:GetObject","s3:ListAllMyBuckets","s3:ListBucket","sns:ListSubscriptions","sns:ListTopics","sqs:ListQueues"],"Resource": "*"}]} -
Create IAM Role
- Open IAM in AWS Console
- Go to Roles → Create role
- Choose “AWS account” as trusted entity type
- Enter Cased account ID:
495860673956
- Attach the policy you created
- Name the role (e.g.,
CasedRole
)
-
Almost done! Configure Cased:
- Copy your Role ARN from the role summary page
- Format:
arn:aws:iam::<YOUR_ACCOUNT_ID>:role/CasedRole
- Paste the ARN in Cased’s AWS connection settings
- Select your AWS region