> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS Cloud Integration
> Connect your AWS Organization to Backline for cloud-aware exploitability analysis
## Overview
Connect your AWS Organization so Backline can securely pull cloud context for richer risk analysis and smarter remediation.
By integrating with AWS, Backline gains visibility into your runtime environment — including network exposure, security groups, and deployment topology — to determine whether a vulnerability is actually exploitable in your specific infrastructure. This moves security prioritization from theoretical severity (CVSS scores) to **contextual exploitability**.
## What You Can Do
With the AWS Cloud integration, Backline can:
* Assess whether vulnerabilities are **actually exploitable** in your AWS environment
* Analyze network exposure, security groups, and subnet configurations to determine reachability
* Identify whether vulnerable workloads are running, stopped, or isolated
* Provide evidence-backed exploitability verdicts with cloud context (e.g., "Service is in a private subnet with no public IP")
* Monitor EC2, ECS, EKS, and Lambda workloads for runtime security context
* Support multiple AWS accounts and organizations from a single Backline workspace
## Prerequisites
Before connecting AWS Cloud, ensure you have:
* An AWS account with appropriate IAM permissions
* Permissions to deploy CloudFormation stacks (requires IAM role creation)
* Your 12-digit AWS Account ID
## Connecting AWS Cloud
Navigate to Integrations from the main menu.
Find and click on the AWS Cloud integration card.
Click the CloudFormation link in Backline or use the direct link below to deploy the integration role in your AWS account:
[Deploy CloudFormation Stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://backline-integration-templates.s3.amazonaws.com/backline-aws-cloud-integration-role.yaml\&stackName=BacklineCloudIntegration)
The stack creates an IAM Role in your account with:
* Backline's AWS Account as the trusted principal
* Your tenant-specific External ID in the trust policy
* Read-only permissions for security context collection
After the stack completes, go to the **Outputs** tab and copy the **Role ARN**.
In Backline, enter:
* **Account ID**: Your 12-digit AWS Account ID
* **External ID**: The pre-generated External ID shown in the setup screen
* **Role ARN**: The ARN from the CloudFormation outputs
* **Regions**: One or more AWS regions you want Backline to scan for cloud context
Click **Connect** to validate and save the connection. Backline will verify it can assume the IAM Role using the provided credentials.
## Alternative: Deploy via CloudFormation StackSet
If you need to deploy the IAM Role across multiple accounts in your AWS Organization, use a CloudFormation StackSet instead of a single stack.
In the AWS Console, navigate to **CloudFormation → StackSets** and create a new StackSet using the template URL:
```
https://backline-integration-templates.s3.amazonaws.com/backline-cloud-integration-role.yaml
```
Deploy the StackSet to your target accounts and regions.
Once the StackSet deployment completes, navigate to the **Stack instances** tab, select a stack instance, and open its **Outputs** tab. Copy the **Role ARN** value.
Return to the [Enter Connection Details](#enter-connection-details) step above and enter your Account ID, External ID, Role ARN, and Regions.
## After Connection
Once connected, Backline begins collecting cloud context from your AWS environment, including:
* **Network topology**: VPC, subnet, public/private exposure, load balancers
* **Security groups**: Inbound/outbound rules, public accessibility
* **Runtime state**: Whether workloads are running, stopped, or unknown
* **Service configuration**: Authentication requirements, exposed ports
This context is used to evaluate exploitability for every vulnerability detected in your environment, producing evidence-backed verdicts such as:
> *"This vulnerability is not exploitable because the affected service is not reachable from the internet. The workload runs in a private VPC subnet, has no public IP or public load balancer, and is protected by a security group that blocks inbound traffic from 0.0.0.0/0."*
## Connecting Multiple AWS Accounts
AWS Cloud supports multiple connections, allowing you to monitor several AWS organizations or accounts from a single Backline workspace.
Go to the AWS Cloud integration card in the Integration Hub and click **Configure** to open the integration details.
At the bottom of the integration details, click the **Add Connection** button.
Provide the Account ID, External ID, Role ARN and Regions for the additional AWS account or organization.
Click **Save** to add the new connection. It will appear in the connections list alongside your existing accounts.
All connected AWS accounts are displayed in the integration details page, identified by their Account ID.
## EKS Access Configuration
This step is required only if you have EKS clusters and want Backline to read Kubernetes resources (pods, deployments, services, etc.).
The IAM policy grants permission to call the EKS API, but Kubernetes has its own authorization layer (RBAC). To allow Backline to read Kubernetes resources, you must create an **EKS Access Entry** for each cluster.
### Why This Is Needed
AWS EKS uses two layers of authorization:
1. **IAM permissions** - Controls access to AWS EKS APIs (handled by the CloudFormation stack)
2. **Kubernetes RBAC** - Controls access to Kubernetes resources within the cluster
The Access Entry bridges these two layers, granting the Backline IAM role permission to read Kubernetes resources.
### Configure EKS Access
Run the following script to configure access for all EKS clusters in your AWS account. Replace `` with the Role ARN from your CloudFormation stack outputs.
```bash theme={null}
#!/bin/bash
# EKS Access Entry Setup Script
# This script grants Kubernetes read access to all EKS clusters in the current region
ROLE_ARN=""
for CLUSTER in $(aws eks list-clusters --query 'clusters[*]' --output text); do
echo "Configuring access for cluster: $CLUSTER"
# Create access entry for the Backline role
aws eks create-access-entry \
--cluster-name "$CLUSTER" \
--principal-arn "$ROLE_ARN" \
--type STANDARD
# Associate the EKS view policy for read-only access
aws eks associate-access-policy \
--cluster-name "$CLUSTER" \
--principal-arn "$ROLE_ARN" \
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy \
--access-scope type=cluster
echo "Done: $CLUSTER"
done
```
To configure access across multiple regions, run the script in each region or wrap it in a loop over your desired regions.
### Configure a Single Cluster
To configure access for a specific cluster instead of all clusters:
```bash theme={null}
ROLE_ARN=""
CLUSTER_NAME=""
aws eks create-access-entry \
--cluster-name "$CLUSTER_NAME" \
--principal-arn "$ROLE_ARN" \
--type STANDARD
aws eks associate-access-policy \
--cluster-name "$CLUSTER_NAME" \
--principal-arn "$ROLE_ARN" \
--policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy \
--access-scope type=cluster
```
### Adding New EKS Clusters
When you create new EKS clusters, run the access entry commands again to grant Backline access to the new clusters.
### Troubleshooting EKS Access
If Backline cannot read Kubernetes resources from your EKS clusters:
1. **Verify access entry exists**:
```bash theme={null}
aws eks list-access-entries --cluster-name
```
2. **Check associated policies**:
```bash theme={null}
aws eks list-associated-access-policies \
--cluster-name \
--principal-arn
```
3. **Verify the policy is AmazonEKSViewPolicy** with cluster scope.