AWS Cloud Integration

Prerequisites

Requirement	Details
AWS account	IAM permissions to create roles and trust policies
StackFlow AWS account	Account ID: `373544523367`
StackFlow role	`super_admin` or `cloud_admin`
Target AWS accounts	One or more accounts to monitor

Step 1: Create Cross-Account IAM Role

Create an IAM role in each target AWS account that trusts the StackFlow account (373544523367):

# Create the cross-account trust policy
cat > trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::373544523367:role/StackFlowCloudDiscoveryRole"},
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {"sts:ExternalId": "stackflow-YOUR_TENANT_ID"}
    }
  }]
}
EOF

# Create the role
aws iam create-role   --role-name StackFlowCrossAccountRole   --assume-role-policy-document file://trust-policy.json

# Attach the read-only discovery policy
aws iam attach-role-policy   --role-name StackFlowCrossAccountRole   --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

# For remediation capabilities, use a custom policy instead of ReadOnlyAccess:
aws iam put-role-policy   --role-name StackFlowCrossAccountRole   --policy-name StackFlowRemediation   --policy-document file://stackflow-remediation-policy.json

External ID: The ExternalId condition prevents the confused deputy attack. Your tenant-specific external ID is shown in Admin → Integration Hub → AWS Cloud → Setup. Never share it publicly.

Step 2: Configure CloudWatch Alarm Routing

In each monitored AWS account, create an SNS topic: stackflow-alerts
Add an HTTPS subscription pointing to: https://your-instance.stackflow-tech.com/prod/api/webhooks/inbound/cloudwatch
Update your CloudWatch Alarms to notify the stackflow-alerts SNS topic

# Create SNS topic and subscription
aws sns create-topic --name stackflow-alerts
aws sns subscribe   --topic-arn arn:aws:sns:us-east-1:YOUR_ACCOUNT:stackflow-alerts   --protocol https   --notification-endpoint https://your-instance.stackflow-tech.com/prod/api/webhooks/inbound/cloudwatch

# Update a CloudWatch alarm to notify StackFlow
aws cloudwatch put-metric-alarm   --alarm-name "HighCPUUtilization"   --alarm-actions arn:aws:sns:us-east-1:YOUR_ACCOUNT:stackflow-alerts   --ok-actions arn:aws:sns:us-east-1:YOUR_ACCOUNT:stackflow-alerts

Step 3: Enable EC2/RDS/Lambda CMDB Sync

StackFlow's cloud discovery uses the cross-account IAM role to enumerate EC2 instances, RDS clusters, Lambda functions, ECS services, and other resource types and creates/updates corresponding CMDB CIs.

{
  "discovery_config": {
    "account_id": "123456789012",
    "role_arn": "arn:aws:iam::123456789012:role/StackFlowCrossAccountRole",
    "regions": ["us-east-1", "us-west-2"],
    "resource_types": ["ec2", "rds", "lambda", "ecs", "eks", "elasticache", "cloudfront"],
    "tag_filters": [{"key": "Environment", "values": ["production"]}],
    "sync_schedule": "0 */2 * * *"
  }
}

Step 4: Connect in StackFlow

Navigate to Admin → Integration Hub → AWS Cloud → Add Account
Enter the AWS Account ID and the Cross-Account Role ARN
Enter the External ID (shown in the setup wizard)
Select regions to monitor and resource types to discover
Configure CloudWatch alarm-to-incident rules
Click Save & Discover to trigger an initial discovery

CloudWatch Alarm to Incident Mapping

CloudWatch State	StackFlow Action	Default Priority
ALARM (with tag severity:critical)	Create P1 Incident	P1
ALARM (no severity tag)	Create P2 Incident	P2
OK (alarm was P1/P2)	Resolve existing incident	—
INSUFFICIENT_DATA	Create P3 Incident	P3

CMDB Auto-Discovery

Discovery runs on a configurable schedule (default every 2 hours) and syncs the following resource types to CMDB CIs:

AWS Resource	CMDB CI Class	Key Attributes Synced
EC2 Instance	`aws_ec2_instance`	instance_id, type, AZ, VPC, private IP, public IP, tags
RDS Cluster	`aws_rds_cluster`	cluster_id, engine, version, endpoint, AZs, multi-AZ
Lambda Function	`aws_lambda`	function_name, runtime, memory, timeout, VPC config
EKS Cluster	`aws_eks_cluster`	cluster_name, k8s_version, endpoint, node_groups
ElastiCache	`aws_elasticache`	cluster_id, engine, node_type, endpoint

Field Reference

Field	Required	Description
Account ID	Yes	12-digit AWS account ID
Role ARN	Yes	Cross-account IAM role ARN
External ID	Yes	Tenant-specific external ID for assume-role security
Regions	Yes	List of AWS regions to monitor
Resource Types	No	Resource types to discover (default: all)
Tag Filters	No	Only discover resources with matching tags
Sync Schedule	No	Cron expression for discovery schedule (default: every 2 hours)

Testing the Integration

Click Test IAM Role to verify StackFlow can assume the cross-account role
Click Run Discovery Now to trigger an immediate discovery and verify CIs appear in CMDB
Trigger a test CloudWatch alarm and verify the StackFlow incident is created

# Manually set a CloudWatch alarm to ALARM state for testing
aws cloudwatch set-alarm-state   --alarm-name "HighCPUUtilization"   --state-value ALARM   --state-reason "Manual test for StackFlow integration"   --region us-east-1

Troubleshooting

Issue	Cause	Fix
AssumeRole fails	Trust policy missing or wrong account ID	Verify trust policy lists `373544523367` as principal and ExternalId matches
CIs not discovered	Tag filters too restrictive	Remove tag filters for initial test, then add them back
SNS subscription not confirmed	StackFlow endpoint didn't confirm subscription	Check Lambda logs for SNS subscription confirmation call; retry from SNS console
Alarms creating duplicate incidents	Multiple SNS subscriptions	Check for duplicate SNS subscriptions on the `stackflow-alerts` topic

← Previous

Okta

SSO, SCIM, group sync

Microsoft Azure

Monitor alerts, Entra ID