> ## Documentation Index
> Fetch the complete documentation index at: https://docs.draftt.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon Web Services

Connect your AWS accounts to Draftt to govern your cloud infrastructure. Draftt uses a cross-account IAM role with read-only access, deployed via CloudFormation.

## Prerequisites

* AWS account with permissions to create CloudFormation stacks and IAM roles
* Access to the Draftt dashboard (**Integrations > AWS**)

## Setup Methods

Draftt supports three installation methods. CloudFormation is recommended for most setups.

<AccordionGroup>
  <Accordion title="CloudFormation (Recommended)">
    The fastest way to connect a single AWS account. Draftt provides a CloudFormation template that creates the required IAM role automatically.

    <Steps>
      <Step title="Name your integration">
        In Draftt, fill in the **Integration Name** field.
      </Step>

      <Step title="Deploy the CloudFormation stack">
        Navigate to your [AWS CloudFormation console](https://us-east-1.console.aws.amazon.com/cloudformation/home/stacks/create).

        1. Click **Create Stack** - With new resources (Standard)
        2. On the prerequisite section, choose **Choose an existing template**
        3. On the specify template section, choose **Amazon S3 URL** and provide the following link:

        ```
        https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
        ```

        Press **Next**.
      </Step>

      <Step title="Configure stack parameters">
        * **Stack name:** We recommend something easy to identify, e.g. `DrafttStack`
        * **DrafttRoleName:** Leave the default value
        * **ExternalId:** Copy the value shown in the Draftt setup dialog and paste it here

        Press **Next**.
      </Step>

      <Step title="Optional: CloudFormation behavior">
        Since we're using AWS defaults, we recommend not making any changes in this step. Press **Next**.
      </Step>

      <Step title="Review and create">
        Review all previous settings. Acknowledge and approve the **"I acknowledge that AWS CloudFormation might create IAM resources with custom names."** statement.

        Press **Submit**.
      </Step>

      <Step title="Enter the Role ARN in Draftt">
        Enter the Role ARN in the Draftt setup dialog and click **Create**.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Manual Installation">
    <Steps>
      <Step title="Create a custom inline policy">
        [Create a new custom inline policy](https://us-east-1.console.aws.amazon.com/iam/home#/policies/create) in the AWS IAM console.

        Switch to **JSON Mode** and copy the content from the following link:

        ```
        https://draftt-public.s3.amazonaws.com/DrafttReadOnlyPolicy.js
        ```

        Click on **Actions** and then select **Optimize for size**. Click **Next**.
      </Step>

      <Step title="Name the policy">
        Enter the following name:

        ```
        DrafttReadOnlyPolicy
        ```

        Click **Create Policy**.
      </Step>

      <Step title="Create an IAM role with a custom trust policy">
        Navigate to **Roles** and click **Create Role**.

        On the **Trusted entity type** section, choose **Custom trust policy** and paste the following:

        ```json theme={null}
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::339712924365:root"
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "aws:PrincipalArn": "arn:aws:iam::339712924365:role/draftt-fetcher",
                  "sts:ExternalId": "<provided-in-draftt>"
                }
              }
            }
          ]
        }
        ```

        Click **Next**.
      </Step>

      <Step title="Attach policies">
        Attach the following policies to the role:

        * `SecurityAudit`
        * `ViewOnlyAccess`
        * `DrafttReadOnlyPolicy` (the policy you created in Step 2)

        Click **Next**.
      </Step>

      <Step title="Name the role">
        Enter the following name:

        ```
        DrafttAccess-Role
        ```

        Review the permissions and click **Create Role**.
      </Step>

      <Step title="Enter the Role ARN in Draftt">
        Copy the ARN of the role you just created and paste it into the **Role ARN** field in the Draftt setup dialog. Click **Create**.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="CloudFormation StackSet (Multi Account)">
    For organizations managing multiple AWS accounts, StackSets deploy the Draftt IAM role across all accounts in your AWS Organization simultaneously.

    <Steps>
      <Step title="Create an organization-level IAM role">
        Navigate to **Roles** and click on [Custom trust policy](https://us-east-1.console.aws.amazon.com/iam/home#/roles/create?step=selectEntities\&selectedUseCase=custom).

        Copy the following policy:

        ```json theme={null}
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::339712924365:root"
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "aws:PrincipalArn": "arn:aws:iam::339712924365:role/draftt-fetcher",
                  "sts:ExternalId": "<provided-in-draftt>"
                }
              }
            }
          ]
        }
        ```

        Click **Next**. On the **Add permissions** section, choose:

        * `AWSOrganizationsReadOnlyAccess`
        * `AWSCloudFormationReadOnlyAccess`

        Click **Next**. Enter the following name:

        ```
        DrafttReadOnlyAccess-OrganizationLevel
        ```

        Review the permissions and click **Create Role**. Enter the Role ARN in Draftt.
      </Step>

      <Step title="Create the CloudFormation StackSet">
        Navigate to your [AWS CloudFormation Console](https://us-east-1.console.aws.amazon.com/cloudformation/home).

        Click **Create stack set**. On the **Specify template** section, choose **Service-managed permissions**. Choose **Amazon S3 URL** and provide the following link:

        ```
        https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
        ```

        Press **Next**.
      </Step>

      <Step title="Configure StackSet parameters">
        Name the stack set. We recommend something easy to identify, e.g. `DrafttStackSet`.

        Leave the default name for the **DrafttRoleName** parameter (default: `DrafttAccess-Role`).

        On the **ExternalId** parameter, enter the value provided in the Draftt setup dialog.

        Press **Next**.
      </Step>

      <Step title="Optional: CloudFormation behavior">
        Since we're using AWS defaults, we recommend not making any changes in this step. Press **Next**.
      </Step>

      <Step title="Set deployment options">
        Under the **Set deployment options** screen, choose **Deploy new stacks**.

        Specify regions. Since CloudFormation only creates a role in each account, there is no need to choose multiple regions. Choose only a single region based on your preference.

        Under **Deployment options**, we recommend increasing the **Maximum concurrent accounts** based on the number of accounts you are integrating.

        We recommend not making changes in the deployment options section. Press **Next**.
      </Step>

      <Step title="Review and create">
        Review all previous settings. Acknowledge and approve the **"I acknowledge that AWS CloudFormation might create IAM resources with custom names."** statement.

        Press **Submit**. Once the StackSet is created, provide Draftt with the StackSet ARN.
      </Step>
    </Steps>
  </Accordion>
</AccordionGroup>

## What Draftt Reads

Draftt's IAM role is **read-only**. It cannot create, modify, or delete any resources in your AWS account.

The CloudFormation template defines the exact permissions granted. You can review the template before deploying:

```
https://draftt-public.s3.amazonaws.com/draftt-onboarding-cloudformation.json
```

Draftt scans services across compute (EC2, Lambda, ECS, EKS), storage (S3, EBS, EFS), databases (RDS, DynamoDB, ElastiCache, Redshift), networking (VPC, ALB/NLB, CloudFront), security (IAM, KMS, Secrets Manager), and more.

## Verifying Your Connection

After setup, return to **Integrations > AWS** in Draftt. Each connected account shows a status:

* **Healthy** - All required access is in place. Draftt is collecting data as expected.
* **Unhealthy** - Something is wrong with the IAM role or permissions. Check that the CloudFormation stack completed successfully and the Role ARN is correct.

## Troubleshooting

**Stack creation failed:** Check the CloudFormation events tab for the specific error. Common causes include insufficient permissions to create IAM roles or a naming conflict with an existing role.

**Status shows unhealthy:** Verify the Role ARN matches what CloudFormation created and that the trust policy is configured correctly.

**Missing resources in inventory:** Draftt discovers resources on its scan cycle. New accounts may take one scan cycle to fully populate. Check that the IAM role has the required permissions by reviewing the CloudFormation stack resources.
