---
title: "Setting Permissions"
slug: "aws-setting-permissions"
updated: 2026-05-07T00:07:09Z
published: 2026-05-07T00:07:09Z
canonical: "help.nucleussec.com/aws-setting-permissions"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting Permissions

The AWS connector enables you to ingest data from multiple AWS accounts and services through a single connector by using cross-account roles. This is considered best practice when providing third parties (such as Nucleus) access to your organization's AWS accounts and resources. Additional information about granting third parties access to your AWS resources can be found in [the AWS customer documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html).

Warning

Note we may periodically update this page as new functionality is added to this connector, which may require an update to the deployed cross-account role.

## Set up cross-account roles

Note

A cross-account role must first be created in each AWS account that has services which you intend to interact with before following the steps below.

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Integration Hub**, select **Connector Setup**.
3. Select **Amazon Web Services**.  
![aws-connector-icon.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-icon.png)
4. Locate the **Notes** area in the **Authentication** section.
5. Make a note of the **AWS External ID** and **AWS Account** values. These values are unique to your Nucleus project and you will use them later when setting up the cross-account role in AWS.  
![aws-connector-authentication-section.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-authentication-section.png)
6. Follow [the instructions provided by Amazon for setting up cross-account roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html). When creating the role:
  - Set the **AWS External ID** obtained from Nucleus as the role's **`sts:ExternalId`**.
  - Set the **AWS Account** obtained from Nucleus as the role's **AWS Principal**.
  - Attach the permissions Nucleus needs to access and ingest data from your AWS account(s) as inline or managed policies.

The following IAM permissions are required for each service:

| Service | Permissions |
| --- | --- |
| All services | `iam:ListAccountAliases` |
| Amazon EC2 | `ec2:DescribeInstances`, `ec2:DescribeInstanceStatus`, `ec2:DescribeTags` |
| Amazon ECR | Managed Policy `AmazonEC2ContainerRegistryReadOnly` |
| Amazon Inspector 2 | Managed Policy `AWSSecurityHubReadOnlyAccess` |
| Amazon Inspector 2 | Managed Policy `AmazonInspector2ReadOnlyAccess` |
| Amazon Inspector Classic | Managed Policy `AmazonInspectorReadOnlyAccess` |
| Amazon S3 | Managed Policy `AmazonS3FullAccess` (note: only needed for use of [S3 Data Export](https://help.nucleussec.com/docs/s3-data-upload) functionality) |

## Example template

The following is an example CloudFormation template that can be deployed to AWS accounts to provide access to all currently supported services (excluding [S3 file upload](/v1/docs/s3-data-upload).

Warning

When using the template below, replace `ACCOUNT_ID_FROM_NUCLEUS` and `EXTERNAL_ID_FROM_NUCLEUS_PROJECT` with the relevant **AWS Account** and **AWS External ID** values.

```
AWSTemplateFormatVersion: "2010-09-09" 
Resources: 
  NucleusAWSIntegrationRole: 
    Type: "AWS::IAM::Role" 
    Properties: 
      RoleName: "NucleusAWSConnectorRole" 
      Description: "Role used by a Nucleus Project connector to ingest asset and scan data." 
      AssumeRolePolicyDocument: 
        Version: "2012-10-17" 
        Statement: 
          - Effect: Allow 
            Principal: 
              AWS: 
                - "arn:aws:iam::ACCOUNT_ID_FROM_NUCLEUS:root" 
            Action: 
              - "sts:AssumeRole" 
            Condition: 
              StringEquals: 
                "sts:ExternalId": "EXTERNAL_ID_FROM_NUCLEUS_PROJECT" 
      Policies: 
        - PolicyName: "NucleusAWSConnectorPolicy" 
          PolicyDocument: 
            Version: "2012-10-17" 
            Statement: 
              - Effect: Allow 
                Action: 
                  - "iam:ListAccountAliases" 
                  - "ec2:DescribeInstances" 
                  - "ec2:DescribeInstanceStatus" 
                  - "ec2:DescribeTags" 
                Resource: "*" 
      ManagedPolicyArns: 
        - "arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess" 
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" 
        - "arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess"
```

Note

For large organizations with many AWS accounts, it is recommended that AWS CloudFormation StackSets are used to deploy and manage the above IAM roles at scale.

## Next steps

After setting up permissions, proceed with [setting up instance synchronization](/v1/docs/aws-instance-sync).