Skip to main content



The Access Key and Secret Key associated with an AWS Identity and Access Management (IAM) user are required to configure the connector.

Create an IAM user and retrieve access keys

The Access key ID and the Secret access key of an IAM user created to be used exclusively with the Amazon AWS Discovery connector are required as input when configuring the connector.

To create a new IAM user to be used with the Amazon AWS Discovery connector:

  1. In the AWS IAM Management Console, select Add user.

  2. In the Details step:

    1. Enter a User name for the new user, for example MySimUser.

    2. Set Access type to Programmatic access.

  3. In the Permissions view:

    1. Select Attach existing policies directly.

    2. Under Policy, select AmazonEC2ReadOnlyAccess.

      As an alternative, select any other permission that includes listing (List) of EC2.

    3. Under Set permission boundary select Create user without permissions boundary.

  4. In the Review step, a summary of the settings is shown.

    Select Create user.

  5. In the Complete step, the Access key ID and the Secret access key are shown. Make a note of them, as they will be used when configuring the AWS Discovery connector.


Multiple account role configuration

In environments where the total EC2 footprint spans multiple accounts, the Amazon AWS Discovery connector can be configured to use roles to access additional accounts.

Create and add roles for additional accounts.

  1. In the IAM console for the account to which your IAM user belongs (your primary account), navigate to Support/Support center.

  2. Copy and save your Account number, which is displayed at the top of the screen.

  3. Log in to the IAM console for another account (your secondary account).

  4. Navigate to the Roles list.

  5. Create a new role:

    1. Select Create role.

    2. Select Another AWS Account as the trusted entity type.

    3. In the Account ID box, enter the account number from Step 2 and select Next: Permissions.

    4. Attach a policy that includes the EC2: List permission to your role by selecting the checkbox for that policy, and then select Next: Tags.


      Amazon offers the AmazonEC2ReadOnlyAccess policy by default.

    5. Optional: Add one or more tags to your role.

    6. Select Next: Review.

    7. In the Role name box, enter the name of the role and select Create role.

  6. On the Summary page of the new role, copy and save the value in the Role ARN field. It is required as input when configuring the AWS Discovery connector.

  7. In the IAM console for your primary account, navigate to the Policies list.

  8. Create a new policy:

    1. Select Create policy.

    2. Under Service, select STS service.

    3. Under Actions, select Write/AssumeRole.

    4. Under Resources, select the Any checkbox to grant access to any role, or specify the Role ARN from Step 6.

    5. Select Review policy.

    6. In the Name box, enter the name of the policy and select Create policy.

  9. Navigate to the Users section.

  10. Select the user you created for the Amazon AWS Discovery connector.

  11. Select Add permissions.

  12. Attach the policy you created in Step 8 directly to the user.

  13. Repeat Step 3 to Step 6 for each secondary account.


    If in Step 8d. you did not grant access to any role, you will need to update the policy with the Role ARN for each additional account.