Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.draftt.io/llms.txt

Use this file to discover all available pages before exploring further.

Connect your AWS accounts to Draftt to govern your cloud infrastructure. Draftt uses a cross-account IAM role with read-only access, deployed via CloudFormation.

Prerequisites

  • AWS account with permissions to create CloudFormation stacks and IAM roles
  • Access to the Draftt dashboard (Integrations > AWS)

Setup Methods

Draftt supports three installation methods. CloudFormation is recommended for most setups.
1

Create a custom inline policy

Create a new custom inline policy in the AWS IAM console.Switch to JSON Mode and copy the content from the following link:
https://draftt-public.s3.amazonaws.com/DrafttReadOnlyPolicy.js
Click on Actions and then select Optimize for size. Click Next.
2

Name the policy

Enter the following name:
DrafttReadOnlyPolicy
Click Create Policy.
3

Create an IAM role with a custom trust policy

Navigate to Roles and click Create Role.On the Trusted entity type section, choose Custom trust policy and paste the following:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::339712924365:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::339712924365:role/draftt-fetcher",
          "sts:ExternalId": "<provided-in-draftt>"
        }
      }
    }
  ]
}
Click Next.
4

Attach policies

Attach the following policies to the role:
  • SecurityAudit
  • ViewOnlyAccess
  • DrafttReadOnlyPolicy (the policy you created in Step 2)
Click Next.
5

Name the role

Enter the following name:
DrafttAccess-Role
Review the permissions and click Create Role.
6

Enter the Role ARN in Draftt

Copy the ARN of the role you just created and paste it into the Role ARN field in the Draftt setup dialog. Click Create.
For organizations managing multiple AWS accounts, StackSets deploy the Draftt IAM role across all accounts in your AWS Organization simultaneously.
1

Create an organization-level IAM role

Navigate to Roles and click on Custom trust policy.Copy the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::339712924365:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::339712924365:role/draftt-fetcher",
          "sts:ExternalId": "<provided-in-draftt>"
        }
      }
    }
  ]
}
Click Next. On the Add permissions section, choose:
  • AWSOrganizationsReadOnlyAccess
  • AWSCloudFormationReadOnlyAccess
Click Next. Enter the following name:
DrafttReadOnlyAccess-OrganizationLevel
Review the permissions and click Create Role. Enter the Role ARN in Draftt.
2

Create the CloudFormation StackSet

Navigate to your AWS CloudFormation Console.Click Create stack set. On the Specify template section, choose Service-managed permissions. Choose Amazon S3 URL and provide the following link:
https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
Press Next.
3

Configure StackSet parameters

Name the stack set. We recommend something easy to identify, e.g. DrafttStackSet.Leave the default name for the DrafttRoleName parameter (default: DrafttAccess-Role).On the ExternalId parameter, enter the value provided in the Draftt setup dialog.Press Next.
4

Optional: CloudFormation behavior

Since we’re using AWS defaults, we recommend not making any changes in this step. Press Next.
5

Set deployment options

Under the Set deployment options screen, choose Deploy new stacks.Specify regions. Since CloudFormation only creates a role in each account, there is no need to choose multiple regions. Choose only a single region based on your preference.Under Deployment options, we recommend increasing the Maximum concurrent accounts based on the number of accounts you are integrating.We recommend not making changes in the deployment options section. Press Next.
6

Review and create

Review all previous settings. Acknowledge and approve the “I acknowledge that AWS CloudFormation might create IAM resources with custom names.” statement.Press Submit. Once the StackSet is created, provide Draftt with the StackSet ARN.

What Draftt Reads

Draftt’s IAM role is read-only. It cannot create, modify, or delete any resources in your AWS account. The CloudFormation template defines the exact permissions granted. You can review the template before deploying: 
https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
Draftt scans services across compute (EC2, Lambda, ECS, EKS), storage (S3, EBS, EFS), databases (RDS, DynamoDB, ElastiCache, Redshift), networking (VPC, ALB/NLB, CloudFront), security (IAM, KMS, Secrets Manager), and more.

Verifying Your Connection

After setup, return to Integrations > AWS in Draftt. Each connected account shows a status:
  • Healthy - All required access is in place. Draftt is collecting data as expected.
  • Unhealthy - Something is wrong with the IAM role or permissions. Check that the CloudFormation stack completed successfully and the Role ARN is correct.

Troubleshooting

Stack creation failed: Check the CloudFormation events tab for the specific error. Common causes include insufficient permissions to create IAM roles or a naming conflict with an existing role. Status shows unhealthy: Verify the Role ARN matches what CloudFormation created and that the trust policy is configured correctly. Missing resources in inventory: Draftt discovers resources on its scan cycle. New accounts may take one scan cycle to fully populate. Check that the IAM role has the required permissions by reviewing the CloudFormation stack resources.