Knowledge base
Knowledge base
Breadcrumbs

Generate AWS Credentials

Last updated: 2026-02-26



Purpose

This article describes how to create Amazon Web Services (AWS) credentials.

Introduction

Amazon Web Services (AWS) is a cloud computing platform that enables organizations to build and operate digital systems in the cloud without maintaining physical servers. The Generate AWS Credentials feature guides users through creating secure Identity and Access Management (IAM) credentials, such as access keys or IAM roles, so the platform can interact safely with their AWS accounts. By configuring precise IAM policies, users ensure that Outscan gains the necessary permissions to discover and scan AWS resources without granting excessive access. This approach enhances both visibility and control within the cloud security workflow.

Create an IAM Policy

  1. Click on Policies to the left of the AWS console, and click on the Create Policy. This opens the Create Policy page where you can create a new IAM policy.

    Create IAM policy

    1. Click on JSON. This opens an IAM policy editor where you can insert your policy.

      Cloudsec AWS IAM Policy Create JSON



      The policy is explained later in this document and can be found in Appendix 1 in JSON Format.

      Cloudsec AWS IAM Policy Create JSON EWP


  2. Click on the Review policy button on bottom right and fix Policy Name and Description if your policy is not valid.

  3. To validate the policy, click on the Create Policy button.

    Review policy

Create an IAM Role

  1. Log in to AWS console and enter IAM Service.

  2. Click on Roles on the left menu and then click on Create role button to open Create role window.

    Cloudsec IAM role for EWP


  3. Select Another AWS Account as type of trusted entity.

    Cloudsec create IAM role



  4. Fill the form using “947065867758” as Account ID.

  5. Select Require external ID as Options and use the External ID provided in the Amazon section of Integrations Settings panel in OUTSCAN.

    Cloudsec IAM role



  6. Select the AWS policy you created.

    Cloudsec IAM role attach permission policies


  7. Add a name to the AWS role and set a description. 

    Create AWS role
    Create AWS role


  8. Click on the Create role button on the bottom right.

Adding Credentials

  1. Log in to OUTSCAN. See the Logging in to the portal article on how to access the Portal.

  2. In the Portal view, click the Account button in the upper right corner. Initials in the button may differ depending on the account name.

    Portal_Account_Icon.png


  3. Select Credentials in the context menu.

    Portal_Account_Menu.png


  4. Click the + Add credentials button to open the Add credentials form.

    Button_add_credentials.png

Configure AWS Credentials

Add AWS credentials in Outpost24 using Access Key or IAM Role to allow authenticated scanning of your Amazon Web Services resources.

To manage your account, refer to Scan Credentials.

References 

AWS IAM Best Practice: 

http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 

 

AWS IAM Policy Simulator: 

https://policysim.aws.amazon.com/home/index.jsp 

Appendix-1

The below appendix consists of the AWS Policy for Outpost24 product in JSON format.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Outpost24AccountRead",
"Effect": "Allow",
"Action": [
"account:GetContactInformation"
],
"Resource": ""
},
{
"Sid": "Outpost24CloudWatchRead",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource": ""
},
{
"Sid": "Outpost24CloudTrailRead",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTrails"
],
"Resource": ""
},
{
"Sid": "Outpost24CloudWatchLogsRead",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters"
],
"Resource": ""
},
{
"Sid": "Outpost24ConfigRead",
"Effect": "Allow",
"Action": [
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels"
],
"Resource": ""
},
{
"Sid": "Outpost24EC2Read",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeAddresses",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:GetEbsEncryptionByDefault"
],
"Resource": ""
},
{
"Sid": "Outpost24ELBRead",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers"
],
"Resource": ""
},
{
"Sid": "Outpost24CloudFrontRead",
"Effect": "Allow",
"Action": [
"cloudfront:ListDistributions"
],
"Resource": ""
},
{
"Sid": "Outpost24EFSRead",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeFileSystems"
],
"Resource": ""
},
{
"Sid": "Outpost24IAMRead",
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetServerCertificate",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListServerCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListVirtualMFADevices"
],
"Resource": ""
},
{
"Sid": "Outpost24AccessAnalyzerRead",
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers"
],
"Resource": ""
},
{
"Sid": "Outpost24KMSRead",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListKeys"
],
"Resource": ""
},
{
"Sid": "Outpost24RDSRead",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances"
],
"Resource": ""
},
{
"Sid": "Outpost24S3Read",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets"
],
"Resource": ""
},
{
"Sid": "Outpost24SNSRead",
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:ListTopics"
],
"Resource": "*"
}
]
}


Viewing AWS Policy for Outpost24 software Summary in the AWS Console. 


Permissions defined in this policy

 Summary


Actions in Access Analyzer

Access Analyzer

Actions in Account

Account

Actions in CloudFront

CloudFront

Actions in CloudTrail

CloudTrail

Actions in CloudWatch

CloudWatch

Actions in CloudWatch Logs

CloudWatch Logs

Actions in Config

Config

Actions in EC2

EC2

Actions in EFS

EFS

Actions in ELB

ELB

Actions in ELB v2

ELB v2


Actions in IAM

IAM

Actions in KMS

KMS

Actions in RDS

RDS

Actions in S3

S3

Actions in SNS

SNS

Related Articles