Creating an IAM user within AWS
In order to establish a connection between the OneClickComply platform and your AWS environment, we require the use of an IAM (Identity and Access Management) user with read-only permissions. This guide has been designed to walk you through the process of creating a new IAM user and assigning the correct permissions in order to connect the two platforms.
Note: There are multiple IAM User areas within AWS. Please ensure you follow the guide below carefully, otherwise you may setup your AWS account incorrectly, delaying integration.
From your AWS dashboard, type IAM into the search bar to access the IAM area.
Once done, select Users from within the Access Management tab on the left hand side.
From here, either select the account you wish to use for this process, or create a New User. (We'd recommend creating a new account to make it easier for tracking purposes)
Once created, click Next to move onto the Permissions page. (For pre-established IAM users, go to the account you wish to use, click the Permissions tab, then Add permissions, then Add permissions again)
Click 'Attach policies directly'
Change the Filter by Type to AWS managed – job function
Search for ‘Read’ and tick ReadOnlyAccess
Search for Security and tick SecurityAudit
Click Next
Confirm you have selected the correct permissions, click Add permissions.
Back in the user screen, click Add permissions, then Create inline policy.
A policy editor will open, click the JSON button
Delete the contents of the editor, and paste in the below. Note: Please ensure that the formatting is also carried over. Incorrect formatting may lead to permissions being applied incorrectly
Click Next
Now assign a name to the policy. We'd recommend making it recognisable for administrators so it is not accidentally deleted. In the example below we have used the name OneClickComply-ReadOnly
Scroll down and click Create policy
Your IAM user should now look like this:
After your IAM user account has been successfully created and granted the correct permissions, your AWS account can now be connected to the OneClickComply platform. You may now move onto the second support article for connecting AWS (Amazon Web Services Integration Guide), located here.
Note: There are multiple IAM User areas within AWS. Please ensure you follow the guide below carefully, otherwise you may setup your AWS account incorrectly, delaying integration.
From your AWS dashboard, type IAM into the search bar to access the IAM area.
Once done, select Users from within the Access Management tab on the left hand side.
From here, either select the account you wish to use for this process, or create a New User. (We'd recommend creating a new account to make it easier for tracking purposes)
Once created, click Next to move onto the Permissions page. (For pre-established IAM users, go to the account you wish to use, click the Permissions tab, then Add permissions, then Add permissions again)
Click 'Attach policies directly'
Change the Filter by Type to AWS managed – job function
Search for ‘Read’ and tick ReadOnlyAccess
Search for Security and tick SecurityAudit
Click Next
Confirm you have selected the correct permissions, click Add permissions.
Back in the user screen, click Add permissions, then Create inline policy.
A policy editor will open, click the JSON button
Delete the contents of the editor, and paste in the below. Note: Please ensure that the formatting is also carried over. Incorrect formatting may lead to permissions being applied incorrectly
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:Get*",
"appstream:Describe*",
"appstream:List*",
"backup:List*",
"backup:Get*",
"bedrock:List*",
"bedrock:Get*",
"cloudtrail:GetInsightSelectors",
"codeartifact:List*",
"codebuild:BatchGet*",
"codebuild:ListReportGroups",
"cognito-idp:GetUserPoolMfaConfig",
"dlm:Get*",
"drs:Describe*",
"ds:Get*",
"ds:Describe*",
"ds:List*",
"dynamodb:GetResourcePolicy",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetInstanceMetadataDefaults",
"ecr:Describe*",
"ecr:GetRegistryScanningConfiguration",
"elasticfilesystem:DescribeBackupPolicy",
"glue:GetConnections",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetMLTransforms",
"lambda:GetFunction*",
"logs:FilterLogEvents",
"lightsail:GetRelationalDatabases",
"macie2:GetMacieSession",
"macie2:GetAutomatedDiscoveryConfiguration",
"s3:GetAccountPublicAccessBlock",
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"securityhub:BatchImportFindings",
"securityhub:GetFindings",
"servicecatalog:Describe*",
"servicecatalog:List*",
"ssm:GetDocument",
"ssm-incidents:List*",
"states:ListTagsForResource",
"support:Describe*",
"tag:GetTagKeys",
"wellarchitected:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowMoreReadOnly"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:*:apigateway:*::/restapis/*",
"arn:*:apigateway:*::/apis/*"
],
"Sid": "AllowAPIGatewayReadOnly"
}
]
}Click Next
Now assign a name to the policy. We'd recommend making it recognisable for administrators so it is not accidentally deleted. In the example below we have used the name OneClickComply-ReadOnly
Scroll down and click Create policy
Your IAM user should now look like this:
After your IAM user account has been successfully created and granted the correct permissions, your AWS account can now be connected to the OneClickComply platform. You may now move onto the second support article for connecting AWS (Amazon Web Services Integration Guide), located here.
Updated on: 16/04/2025
Thank you!