Articles on: Onboarding

Creating an IAM user within AWS

In order to establish a connection between the OneClickComply platform and your AWS environment, we require the use of an IAM (Identity and Access Management) user with read-only permissions. This guide has been designed to walk you through the process of creating a new IAM user and assigning the correct permissions in order to connect the two platforms.


Note: There are multiple IAM User areas within AWS. Please ensure you follow the guide below carefully, otherwise you may setup your AWS account incorrectly, delaying integration.


  1. From your AWS dashboard, type 'IAM' into the search


  1. Select Users from the Access Management dropdown on the left-hand side


  1. From here, please select Create User. (You may use a pre-existing account for this process, however we would recommend creating a new IAM user to make tracking and troubleshooting easier.)


  1. Add a memorable name for this account. We suggest something such as 'OneClickComply AWS Connection.'


  1. Once named, click the Next button to move to the Permissions page. (If you chose to use a pre-existing IAM user, go to the account, click the Permissions tab, then Add Permissions, and then Add Permissions again.)


  1. Select Attach policies directly.


  1. Change the 'Filter by Type' to AWS managed - job function.


  1. Type 'Read' into the search box and tick ReadOnlyAccess.


A screenshot of the add permissions area for readonly

  1. Next, search for Security, and tick SecurityAudit.


A screenshot of the add permisions are for securityaudit

  1. Click Next.


  1. Once on the Review and create screen, please ensure that you have selected the correct permissions before continuing.


  1. Select Create User


  1. Once the user has been successfully created (or you have assigned the correct permissions to the pre-existing account), select the user again.


  1. Back in the user screen, click the Add Permissions dropdown (located inside of the Permissions tab in the middle of the page) and select Create Inline Policy.


A screenshot of the inline policy area of aws

  1. Click the JSON button within the Policy Editor area.


  1. Delete the current contents of the JSON editor, and paste in the content below. Note. Please ensure that the formatting is also carried over. Incorrect formatting may lead to permissions being applied incorrectly


{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "account:Get*",

        "appstream:Describe*",

        "appstream:List*",

        "backup:List*",

        "backup:Get*",

        "bedrock:List*",

        "bedrock:Get*",

        "cloudtrail:GetInsightSelectors",

        "codeartifact:List*",

        "codebuild:BatchGet*",

        "codebuild:ListReportGroups",

        "cognito-idp:GetUserPoolMfaConfig",

        "dlm:Get*",

        "drs:Describe*",

        "ds:Get*",

        "ds:Describe*",

        "ds:List*",

        "dynamodb:GetResourcePolicy",

        "ec2:GetEbsEncryptionByDefault",

        "ec2:GetSnapshotBlockPublicAccessState",

        "ec2:GetInstanceMetadataDefaults",

        "ecr:Describe*",

        "ecr:GetRegistryScanningConfiguration",

        "elasticfilesystem:DescribeBackupPolicy",

        "glue:GetConnections",

        "glue:GetSecurityConfiguration*",

        "glue:SearchTables",

        "glue:GetMLTransforms",

        "lambda:GetFunction*",

        "logs:FilterLogEvents",

        "lightsail:GetRelationalDatabases",

        "macie2:GetMacieSession",

        "macie2:GetAutomatedDiscoveryConfiguration",

        "s3:GetAccountPublicAccessBlock",

        "shield:DescribeProtection",

        "shield:GetSubscriptionState",

        "securityhub:BatchImportFindings",

        "securityhub:GetFindings",

        "servicecatalog:Describe*",

        "servicecatalog:List*",

        "ssm:GetDocument",

        "ssm-incidents:List*",

        "states:ListTagsForResource",

        "support:Describe*",

        "tag:GetTagKeys",

        "wellarchitected:List*"

      ],

      "Resource": "*",

      "Effect": "Allow",

      "Sid": "AllowMoreReadOnly"

    },

    {

      "Effect": "Allow",

      "Action": [

        "apigateway:GET"

      ],

      "Resource": [

        "arn:*:apigateway:*::/restapis/*",

        "arn:*:apigateway:*::/apis/*"

      ],

      "Sid": "AllowAPIGatewayReadOnly"

    }

  ]

}


  1. Click Next.


  1. Now assign a name to this new policy. We recommend using a recognisable name that is easily identifiable for administrators so that it is not accidentally deleted. In the example below we have used the name OneClickComply-ReadOnly


A screenshot of the policy details area of aws

  1. Scroll down the page and select Create Policy.


  1. Your IAM user should now look like the following:


A screenshot of the IAM user with the correct permissions assigned


After your IAM user account has been successfully created and granted the correct permissions, your AWS account can now be connected to the OneClickComply platform. You may now move onto the second support article for connecting AWS (Amazon Web Services Integration Guide), located here.



Updated on: 21/08/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!