Skip to main content

Overview

Connect your AWS Organization so Backline can securely pull cloud context for richer risk analysis and smarter remediation. By integrating with AWS, Backline gains visibility into your runtime environment — including network exposure, security groups, and deployment topology — to determine whether a vulnerability is actually exploitable in your specific infrastructure. This moves security prioritization from theoretical severity (CVSS scores) to contextual exploitability.

What You Can Do

With the AWS Cloud integration, Backline can:
  • Assess whether vulnerabilities are actually exploitable in your AWS environment
  • Analyze network exposure, security groups, and subnet configurations to determine reachability
  • Identify whether vulnerable workloads are running, stopped, or isolated
  • Provide evidence-backed exploitability verdicts with cloud context (e.g., “Service is in a private subnet with no public IP”)
  • Monitor EC2, ECS, EKS, and Lambda workloads for runtime security context
  • Support multiple AWS accounts and organizations from a single Backline workspace

Prerequisites

Before connecting AWS Cloud, ensure you have:
  • An AWS account with appropriate IAM permissions
  • Permissions to deploy CloudFormation stacks (requires IAM role creation)
  • Your 12-digit AWS Account ID

Connecting AWS Cloud

1

Go to Integration Hub

Navigate to Integrations from the main menu.
2

Select AWS Cloud

Find and click on the AWS Cloud integration card.
3

Deploy CloudFormation Stack

Click the CloudFormation link in Backline or use the direct link below to deploy the integration role in your AWS account:Deploy CloudFormation StackThe stack creates an IAM Role in your account with:
  • Backline’s AWS Account as the trusted principal
  • Your tenant-specific External ID in the trust policy
  • Read-only permissions for security context collection
4

Get Stack Outputs

After the stack completes, go to the Outputs tab and copy the Role ARN.
5

Enter Connection Details

In Backline, enter:
  • Account ID: Your 12-digit AWS Account ID
  • External ID: The pre-generated External ID shown in the setup screen
  • Role ARN: The ARN from the CloudFormation outputs
  • Regions: One or more AWS regions you want Backline to scan for cloud context
6

Connect

Click Connect to validate and save the connection. Backline will verify it can assume the IAM Role using the provided credentials.

Alternative: Deploy via CloudFormation StackSet

If you need to deploy the IAM Role across multiple accounts in your AWS Organization, use a CloudFormation StackSet instead of a single stack.
1

Create the StackSet

In the AWS Console, navigate to CloudFormation → StackSets and create a new StackSet using the template URL:
https://backline-integration-templates.s3.amazonaws.com/backline-cloud-integration-role.yaml
Deploy the StackSet to your target accounts and regions.
2

Get Stack Outputs

Once the StackSet deployment completes, navigate to the Stack instances tab, select a stack instance, and open its Outputs tab. Copy the Role ARN value.
3

Complete Integration in Backline

Return to the Enter Connection Details step above and enter your Account ID, External ID, Role ARN, and Regions.

After Connection

Once connected, Backline begins collecting cloud context from your AWS environment, including:
  • Network topology: VPC, subnet, public/private exposure, load balancers
  • Security groups: Inbound/outbound rules, public accessibility
  • Runtime state: Whether workloads are running, stopped, or unknown
  • Service configuration: Authentication requirements, exposed ports
This context is used to evaluate exploitability for every vulnerability detected in your environment, producing evidence-backed verdicts such as:
“This vulnerability is not exploitable because the affected service is not reachable from the internet. The workload runs in a private VPC subnet, has no public IP or public load balancer, and is protected by a security group that blocks inbound traffic from 0.0.0.0/0.”

Connecting Multiple AWS Accounts

AWS Cloud supports multiple connections, allowing you to monitor several AWS organizations or accounts from a single Backline workspace.
1

Open Integration Details

Go to the AWS Cloud integration card in the Integration Hub and click Configure to open the integration details.
2

Add Connection

At the bottom of the integration details, click the Add Connection button.
3

Enter New Account Credentials

Provide the Account ID, External ID, Role ARN and Regions for the additional AWS account or organization.
4

Save

Click Save to add the new connection. It will appear in the connections list alongside your existing accounts.
All connected AWS accounts are displayed in the integration details page, identified by their Account ID.

EKS Access Configuration

This step is required only if you have EKS clusters and want Backline to read Kubernetes resources (pods, deployments, services, etc.).
The IAM policy grants permission to call the EKS API, but Kubernetes has its own authorization layer (RBAC). To allow Backline to read Kubernetes resources, you must create an EKS Access Entry for each cluster.

Why This Is Needed

AWS EKS uses two layers of authorization:
  1. IAM permissions - Controls access to AWS EKS APIs (handled by the CloudFormation stack)
  2. Kubernetes RBAC - Controls access to Kubernetes resources within the cluster
The Access Entry bridges these two layers, granting the Backline IAM role permission to read Kubernetes resources.

Configure EKS Access

Run the following script to configure access for all EKS clusters in your AWS account. Replace <YOUR_BACKLINE_ROLE_ARN> with the Role ARN from your CloudFormation stack outputs. 
#!/bin/bash
# EKS Access Entry Setup Script
# This script grants Kubernetes read access to all EKS clusters in the current region

ROLE_ARN="<YOUR_BACKLINE_ROLE_ARN>"

for CLUSTER in $(aws eks list-clusters --query 'clusters[*]' --output text); do
  echo "Configuring access for cluster: $CLUSTER"
  
  # Create access entry for the Backline role
  aws eks create-access-entry \
    --cluster-name "$CLUSTER" \
    --principal-arn "$ROLE_ARN" \
    --type STANDARD
  
  # Associate the EKS view policy for read-only access
  aws eks associate-access-policy \
    --cluster-name "$CLUSTER" \
    --principal-arn "$ROLE_ARN" \
    --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy \
    --access-scope type=cluster
  
  echo "Done: $CLUSTER"
done
To configure access across multiple regions, run the script in each region or wrap it in a loop over your desired regions.

Configure a Single Cluster

To configure access for a specific cluster instead of all clusters: 
ROLE_ARN="<YOUR_BACKLINE_ROLE_ARN>"
CLUSTER_NAME="<YOUR_CLUSTER_NAME>"

aws eks create-access-entry \
  --cluster-name "$CLUSTER_NAME" \
  --principal-arn "$ROLE_ARN" \
  --type STANDARD

aws eks associate-access-policy \
  --cluster-name "$CLUSTER_NAME" \
  --principal-arn "$ROLE_ARN" \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy \
  --access-scope type=cluster

Adding New EKS Clusters

When you create new EKS clusters, run the access entry commands again to grant Backline access to the new clusters.

Troubleshooting EKS Access

If Backline cannot read Kubernetes resources from your EKS clusters:
  1. Verify access entry exists: 
    aws eks list-access-entries --cluster-name <CLUSTER_NAME>
  2. Check associated policies: 
    aws eks list-associated-access-policies \
  --cluster-name <CLUSTER_NAME> \
  --principal-arn <ROLE_ARN>
  3. Verify the policy is AmazonEKSViewPolicy with cluster scope.