AWS

Connect Cased to AWS to manage and monitor your cloud infrastructure

Quick Connect (Recommended)

The fastest way to set up AWS access for Cased is using our CloudFormation template:

1. Go to Cased - Navigate to https://app.cased.com/connections/aws
2. Click Quick Connect AWS - This will launch the AWS Console with the template pre-filled

3. Create the stack - Follow the CloudFormation wizard to create the stack
4. Get the Role ARN - Copy the Role ARN from the Outputs tab after stack creation
5. Configure Cased - Paste the Role ARN and select your region in Cased’s connection settings

CloudFormation Template

AWSTemplateFormatVersion: "2010-09-09"
Description: "Cased Quick Connect - Creates IAM Role for AWS Infrastructure Scanning"

Parameters:
  RoleName:
    Type: String
    Default: CasedRole
    Description: Name of the IAM role that will be created

Resources:
  CasedInfraPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Policy for Cased to scan AWS infrastructure
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: VisualEditor0
            Effect: Allow
            Action:
              - autoscaling:Describe*
              - cloudformation:Describe*
              - cloudformation:ListStacks
              - cloudfront:ListDistributions
              - cloudtrail:DescribeTrails
              - cloudtrail:GetTrail
              - cloudtrail:GetTrailStatus
              - cloudtrail:LookupEvents
              - cloudwatch:GetMetricData
              - cloudwatch:GetMetricStatistics
              - cloudwatch:GetMetricWidgetImage
              - cloudwatch:ListMetrics
              - dynamodb:DescribeTable
              - dynamodb:ListTables
              - ec2:DescribeInstances
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - ecs:DescribeClusters
              - ecs:DescribeServices
              - ecs:DescribeTaskDefinition
              - ecs:DescribeTasks
              - ecs:ListClusters
              - ecs:ListServices
              - ecs:ListTasks
              - ecr:DescribeRepositories
              - ecr:GetLifecyclePolicy
              - ecr:GetRegistryScanningConfiguration
              - ecr:GetRepositoryPolicy
              - ecr:ListImages
              - ecr:ListTagsForResource
              - eks:ListClusters
              - eks:DescribeCluster
              - eks:ListNodegroups
              - elasticache:Describe*
              - elasticache:ListTagsForResource
              - elasticbeanstalk:DescribeEnvironments
              - elasticloadbalancing:DescribeLoadBalancers
              - iam:GetPolicy
              - iam:GetPolicyVersion
              - iam:GetRole
              - iam:ListAttachedRolePolicies
              - iam:ListPolicies
              - iam:ListRoles
              - iam:ListUsers
              - kms:DescribeKey
              - kms:ListKeys
              - lambda:ListFunctions
              - logs:DescribeLogStreams
              - logs:DescribeLogGroups
              - logs:GetLogEvents
              - logs:FilterLogEvents
              - rds:DescribeDBInstances
              - rds:DescribeDBSnapshots
              - rds:DescribeEvents
              - rds:ListTagsForResource
              - s3:GetBucketLifecycleConfiguration
              - s3:GetBucketLocation
              - s3:GetBucketPublicAccessBlock
              - s3:GetBucketTagging
              - s3:GetBucketVersioning
              - s3:GetEncryptionConfiguration
              - s3:GetObject
              - s3:ListAllMyBuckets
              - s3:ListBucket
              - sns:ListSubscriptions
              - sns:ListTopics
              - sqs:ListQueues
            Resource: "*"

  CasedInfraRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      Description: IAM role for Cased to work with AWS infrastructure
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "arn:aws:iam::495860673956:root"
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CasedInfraPolicy

Outputs:
  RoleARN:
    Description: ARN of the created IAM role. Copy this value into Cased.
    Value: !GetAtt CasedInfraRole.Arn

Pulumi Setup

If you’re using Pulumi for infrastructure management, you can create the IAM role with this TypeScript code:

Pulumi TypeScript Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Configuration
const config = new pulumi.Config();
const roleName = config.get("roleName") || "CasedRole";

// Create the policy document for Cased infrastructure scanning
const casedInfraPolicyDocument = aws.iam.getPolicyDocument({
  statements: [
    {
      sid: "VisualEditor0",
      effect: "Allow",
      actions: [
        "autoscaling:Describe*",
        "cloudformation:Describe*",
        "cloudformation:ListStacks",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricWidgetImage",
        "cloudwatch:ListMetrics",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:DescribeTasks",
        "ecs:ListClusters",
        "ecs:ListServices",
        "ecs:ListTasks",
        "ecr:DescribeRepositories",
        "ecr:GetLifecyclePolicy",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "ecr:ListTagsForResource",
        "eks:ListClusters",
        "eks:DescribeCluster",
        "eks:ListNodegroups",
        "elasticache:Describe*",
        "elasticache:ListTagsForResource",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticloadbalancing:DescribeLoadBalancers",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListPolicies",
        "iam:ListRoles",
        "iam:ListUsers",
        "kms:DescribeKey",
        "kms:ListKeys",
        "lambda:ListFunctions",
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "rds:DescribeDBInstances",
        "rds:DescribeDBSnapshots",
        "rds:DescribeEvents",
        "rds:ListTagsForResource",
        "s3:GetBucketLifecycleConfiguration",
        "s3:GetBucketLocation",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetEncryptionConfiguration",
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "sns:ListSubscriptions",
        "sns:ListTopics",
        "sqs:ListQueues",
      ],
      resources: ["*"],
    },
  ],
});

// Create the managed policy for Cased infrastructure scanning
const casedInfraPolicy = new aws.iam.Policy("CasedInfraPolicy", {
  description: "Policy for Cased to scan AWS infrastructure",
  policy: casedInfraPolicyDocument.then((doc) => doc.json),
});

// Create the IAM role for Cased
const casedInfraRole = new aws.iam.Role("CasedInfraRole", {
  name: roleName,
  description: "IAM role for Cased to work with AWS infrastructure",
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::495860673956:root",
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [casedInfraPolicy.arn],
});

export const roleArn = casedInfraRole.arn;
export const roleName_output = casedInfraRole.name;
export const policyArn = casedInfraPolicy.arn;

After running pulumi up, copy the roleArn output value and paste it into Cased’s AWS connection settings.

Manual Setup

If you prefer to set up the IAM role manually:

1. In your AWS Management Console go to the IAM service

2. Create IAM Policy under Policies create a new policy in the JSON editor.

3. Paste this JSON into the policy editor and name is CasedPolicy.

   CasedPolicy

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "autoscaling:Describe*",
           "cloudformation:Describe*",
           "cloudformation:ListStacks",
           "cloudfront:ListDistributions",
           "cloudtrail:DescribeTrails",
           "cloudtrail:GetTrail",
           "cloudtrail:GetTrailStatus",
           "cloudtrail:LookupEvents",
           "cloudwatch:GetMetricData",
           "cloudwatch:GetMetricStatistics",
           "cloudwatch:GetMetricWidgetImage",
           "cloudwatch:ListMetrics",
           "dynamodb:DescribeTable",
           "dynamodb:ListTables",
           "ec2:DescribeInstances",
           "ec2:DescribeNetworkInterfaces",
           "ec2:DescribeSecurityGroups",
           "ec2:DescribeSubnets",
           "ec2:DescribeVpcs",
           "ecs:DescribeClusters",
           "ecs:DescribeServices",
           "ecs:DescribeTaskDefinition",
           "ecs:DescribeTasks",
           "ecs:ListClusters",
           "ecs:ListServices",
           "ecs:ListTasks",
           "ecr:DescribeRepositories",
           "ecr:GetLifecyclePolicy",
           "ecr:GetRegistryScanningConfiguration",
           "ecr:GetRepositoryPolicy",
           "ecr:ListImages",
           "ecr:ListTagsForResource",
           "eks:ListClusters",
           "eks:DescribeCluster",
           "eks:ListNodegroups",
           "elasticache:Describe*",
           "elasticache:ListTagsForResource",
           "elasticbeanstalk:DescribeEnvironments",
           "elasticloadbalancing:DescribeLoadBalancers",
           "iam:GetPolicy",
           "iam:GetPolicyVersion",
           "iam:GetRole",
           "iam:ListAttachedRolePolicies",
           "iam:ListPolicies",
           "iam:ListRoles",
           "iam:ListUsers",
           "kms:DescribeKey",
           "kms:ListKeys",
           "lambda:ListFunctions",
           "logs:DescribeLogStreams",
           "logs:DescribeLogGroups",
           "logs:GetLogEvents",
           "logs:FilterLogEvents",
           "rds:DescribeDBInstances",
           "rds:DescribeDBSnapshots",
           "rds:DescribeEvents",
           "rds:ListTagsForResource",
           "s3:GetBucketLifecycleConfiguration",
           "s3:GetBucketLocation",
           "s3:GetBucketPublicAccessBlock",
           "s3:GetBucketTagging",
           "s3:GetBucketVersioning",
           "s3:GetEncryptionConfiguration",
           "s3:GetObject",
           "s3:ListAllMyBuckets",
           "s3:ListBucket",
           "sns:ListSubscriptions",
           "sns:ListTopics",
           "sqs:ListQueues"
         ],
         "Resource": "*"
       }
     ]
   }

   Note

   The policy grants read-only access to common AWS services. This allows Cased to:

   • List and describe EC2 instances
   • View CloudWatch metrics
   • Access CloudTrail logs
   • List resources in ECS, RDS, and other services

   No write permissions are included in this policy.

4. Create IAM Role

   • Open IAM in AWS Console
   • Go to Roles → Create role
   • Choose “AWS account” as trusted entity type
   • Enter Cased account ID: 495860673956
   • Attach the policy you created
   • Name the role (e.g., CasedRole)

5. Almost done! Configure Cased:

   • Copy your Role ARN from the role summary page
   • Format: arn:aws:iam::<YOUR_ACCOUNT_ID>:role/CasedRole
   • Paste the ARN in Cased’s AWS connection settings
   • Select your AWS region