Skip to main content
Connect your AWS accounts to Draftt to govern your cloud infrastructure. Draftt uses a cross-account IAM role with read-only access, deployed via CloudFormation.

Prerequisites

  • AWS account with permissions to create CloudFormation stacks and IAM roles
  • Access to the Draftt dashboard (Integrations > AWS)

Setup Methods

Draftt supports three installation methods. CloudFormation is recommended for most setups.
If you prefer to create the IAM role yourself instead of using CloudFormation:
  1. In Draftt, go to Integrations > AWS > Add and select the Manual Installation tab
  2. Create an IAM role in your AWS account with the required read-only permissions
  3. Configure the trust relationship to allow Draftt’s AWS account to assume the role, using the External ID provided in the Draftt setup dialog
  4. Enter the resulting Role ARN in Draftt and click Create
For organizations managing multiple AWS accounts, StackSets deploy the Draftt IAM role across all accounts in your AWS Organization simultaneously.
  1. In Draftt, go to Integrations > AWS > Add and select the CloudFormation StackSet (Multi Account) tab
  2. Follow the guided steps to deploy a StackSet from your management account
  3. The StackSet creates the Draftt IAM role in each target account automatically

What Draftt Reads

Draftt’s IAM role is read-only. It cannot create, modify, or delete any resources in your AWS account. The CloudFormation template defines the exact permissions granted. You can review the template before deploying: 
https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
Draftt scans services across compute (EC2, Lambda, ECS, EKS), storage (S3, EBS, EFS), databases (RDS, DynamoDB, ElastiCache, Redshift), networking (VPC, ALB/NLB, CloudFront), security (IAM, KMS, Secrets Manager), and more.

Verifying Your Connection

After setup, return to Integrations > AWS in Draftt. Each connected account shows a status:
  • Healthy - All required access is in place. Draftt is collecting data as expected.
  • Unhealthy - Something is wrong with the IAM role or permissions. Check that the CloudFormation stack completed successfully and the Role ARN is correct.

Troubleshooting

Stack creation failed: Check the CloudFormation events tab for the specific error. Common causes include insufficient permissions to create IAM roles or a naming conflict with an existing role. Status shows unhealthy: Verify the Role ARN matches what CloudFormation created. Confirm the ExternalId in the IAM trust policy matches the value from Draftt. Missing resources in inventory: Draftt discovers resources on its scan cycle. New accounts may take one scan cycle to fully populate. Check that the IAM role has the required permissions by reviewing the CloudFormation stack resources.