.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
Documentation Index
Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Amazon Web Services (AWS) is the world’s leading cloud platform, offering over 200 services across compute, storage, databases, networking, machine learning, and security. DSALTA provides deep integration with AWS to monitor IAM configuration, infrastructure security, encryption, backups, logging, and network exposure across your entire AWS environment.Read-only access. DSALTA never modifies, creates, or deletes resources in your Amazon Web Services (AWS) environment. All API access is strictly read-only.
Integration Details
| Property | Value |
|---|---|
| Category | Cloud Infrastructure |
| Data Library Modules | Access, Inventory, Vulnerabilities, Incidents |
| Authentication | IAM Role with read-only policy (SecurityAudit managed policy recommended) |
| Sync Frequency | Every 24 hours (manual sync available) |
| Permissions | Read-only |
What Data DSALTA Collects
When you connect Amazon Web Services (AWS), DSALTA automatically collects the following data on every sync cycle:- IAM users, roles, groups, and policies
- EC2 instances, RDS databases, S3 buckets
- EBS volumes, EFS/FSx file systems
- ElastiCache, Redshift, DynamoDB clusters
- CloudTrail, GuardDuty, VPC flow logs
- Load balancer and API Gateway configuration
- Encryption and backup settings across all services
- Security group and network ACL rules
Key Use Cases
- Monitor IAM user MFA and credential hygiene
- Detect unencrypted storage and databases
- Verify backup and point-in-time recovery settings
- Monitor infrastructure health (CPU, memory, storage, latency)
- Ensure CloudTrail and GuardDuty are active
- Detect resources exposed to the internet
- Validate S3 bucket access controls and versioning
How to Connect
Navigate to Integrations
Go to Settings → Integrations in your DSALTA dashboard and find Amazon Web Services (AWS) in the catalog.
Authenticate
Follow the on-screen instructions to authenticate with your Amazon Web Services (AWS) account. Admin-level access is required for the initial setup.
Configure Scope
Select which accounts, projects, or resources DSALTA should monitor. You can adjust this later from the integration settings.
Automated Compliance Tests
When you connect Amazon Web Services (AWS), DSALTA automatically generates the following compliance tests. Each test runs every 24 hours and produces pass/fail evidence for your auditor.| Test | Description |
|---|---|
| AWS access should be removed for offboarded users | Checks that AWS access is revoked for offboarded users. |
| AWS users should have MFA enabled | Checks that all AWS IAM users have MFA enabled. |
| AWS should be on HTTPS | Checks that AWS resources are served over HTTPS. |
| AWS should redirect HTTP to HTTPS | Checks that HTTP traffic is automatically redirected to HTTPS in AWS. |
| AWS CloudTrail should be enabled | Checks that AWS CloudTrail is enabled to log account activity. |
| AWS GuardDuty should be enabled | Checks that AWS GuardDuty is enabled for threat detection. |
| Reported incidents should be closed in GuardDuty | Checks that incidents reported in GuardDuty are closed and resolved. |
| AWS credentials not used in last 90 days should be disabled | Checks that AWS credentials unused for 90+ days are disabled. |
| AWS user access keys should not be older than 90 days | Checks that AWS IAM user access keys are not older than 90 days. |
| AWS root account should have MFA enabled | Checks that the AWS root account has MFA enabled. |
| AWS users should not have attached IAM policies | Checks that AWS users do not have IAM policies attached directly. |
| AWS account password policy should be configured | Checks that an AWS account-level password policy is configured. |
| AWS root account usage should be avoided | Checks that the AWS root account is not being used for routine activity. |
| AWS server access logs should be retained for 90 days | Checks that AWS server access logs are retained for at least 90 days. |
| AWS S3 server access logging should be enabled | Checks that S3 server access logging is enabled for important buckets. |
| AWS groups should have at least one IAM policy | Checks that all AWS IAM groups have at least one policy attached. |
| Infrastructure entities should be classified | Checks that all AWS infrastructure entities are classified by criticality. |
| AWS RDS database free space should be monitored | Checks that AWS RDS free storage space is being monitored. |
| AWS RDS database CPU utilization should be monitored | Checks that AWS RDS CPU utilization is being monitored. |
| AWS RDS database freeable memory should be monitored | Checks that AWS RDS freeable memory is being monitored. |
| AWS RDS database IO utilization should be monitored | Checks that AWS RDS I/O utilization is being monitored. |
| AWS RDS database backup should be enabled | Checks that automated backups are enabled for AWS RDS databases. |
| AWS RDS database storage should be encrypted | Checks that AWS RDS database storage is encrypted at rest. |
| AWS RDS database should be protected from direct internet traffic | Checks that AWS RDS databases are not directly exposed to the internet. |
| AWS ElastiCache CPU utilization should be monitored | Checks that AWS ElastiCache CPU utilization is being monitored. |
| AWS ElastiCache current connections should be monitored | Checks that AWS ElastiCache current connection count is being monitored. |
| AWS ElastiCache freeable memory should be monitored | Checks that AWS ElastiCache freeable memory is being monitored. |
| AWS Redshift cluster backup should be enabled | Checks that automated backups are enabled for AWS Redshift clusters. |
| AWS Redshift cluster should be encrypted | Checks that AWS Redshift clusters are encrypted at rest. |
| AWS Redshift CPU utilization should be monitored | Checks that AWS Redshift CPU utilization is being monitored. |
| AWS Redshift health should be monitored | Checks that AWS Redshift cluster health status is being monitored. |
| AWS EC2 instances should be protected from direct internet traffic | Checks that AWS EC2 instances are not directly exposed to the internet. |
| AWS EC2 instance CPU utilization should be monitored | Checks that AWS EC2 instance CPU utilization is being monitored. |
| AWS EBS volume backup should be enabled | Checks that EBS volume snapshots (backups) are enabled. |
| AWS EBS volumes should be encrypted | Checks that AWS EBS volumes are encrypted at rest. |
| AWS EFS storage backup should be enabled | Checks that AWS EFS storage has backups enabled. |
| AWS FSx File System storage backup should be enabled | Checks that AWS FSx File System has backups enabled. |
| AWS EFS storage should be encrypted | Checks that AWS EFS storage is encrypted at rest. |
| AWS FSx File System storage should be encrypted | Checks that AWS FSx File System storage is encrypted at rest. |
| AWS VPC flow logs should be captured | Checks that VPC flow logs are enabled to capture network traffic. |
| AWS S3 storage buckets should be encrypted | Checks that AWS S3 buckets are encrypted at rest. |
| AWS S3 bucket public access should be blocked | Checks that AWS S3 bucket public access block is enabled. |
| AWS S3 buckets should be versioned | Checks that AWS S3 bucket versioning is enabled. |
| AWS SQS message visibility should be monitored | Checks that AWS SQS message visibility timeout is being monitored. |
| AWS SQS message age should be monitored | Checks that AWS SQS message age is being monitored. |
| AWS Firehose stream throttling should be monitored | Checks that AWS Firehose stream throttling is being monitored. |
| AWS DynamoDB latency should be monitored | Checks that AWS DynamoDB read/write latency is being monitored. |
| AWS DynamoDB point-in-time recovery should be enabled | Checks that AWS DynamoDB point-in-time recovery (PITR) is enabled. |
| AWS DynamoDB should be encrypted | Checks that AWS DynamoDB tables are encrypted at rest. |
| AWS DynamoDB read capacity should be monitored | Checks that AWS DynamoDB read capacity utilization is being monitored. |
| AWS DynamoDB write capacity should be monitored | Checks that AWS DynamoDB write capacity utilization is being monitored. |
| AWS DynamoDB backup should be enabled | Checks that AWS DynamoDB backups are enabled. |
| AWS API Gateway V2 errors should be monitored | Checks that AWS API Gateway V2 errors are being monitored. |
| AWS ECS CPU utilization should be monitored | Checks that AWS ECS CPU utilization is being monitored. |
| AWS ECS memory utilization should be monitored | Checks that AWS ECS memory utilization is being monitored. |
| AWS ECR repositories should be encrypted | Checks that AWS ECR container repositories are encrypted at rest. |
| AWS Elasticsearch cluster free space should be monitored | Checks that AWS Elasticsearch cluster free storage space is being monitored. |
| AWS FSx File System free space should be monitored | Checks that AWS FSx File System free space is being monitored. |
| AWS Elasticsearch cluster CPU utilization should be monitored | Checks that AWS Elasticsearch cluster CPU utilization is being monitored. |
| AWS Elasticsearch cluster health should be monitored | Checks that AWS Elasticsearch cluster health status is being monitored. |
| AWS EBS health should be monitored | Checks that AWS EBS volume health status is being monitored. |
| AWS load balancer errors should be monitored | Checks that AWS load balancer error rates are being monitored. |
| AWS load balancer latency should be monitored | Checks that AWS load balancer latency is being monitored. |
| AWS classic load balancer errors should be monitored | Checks that AWS classic load balancer error rates are being monitored. |
| AWS classic load balancer latency should be monitored | Checks that AWS classic load balancer latency is being monitored. |
| AWS load balancer should redirect HTTP to HTTPS | Checks that AWS load balancers redirect HTTP traffic to HTTPS. |
| AWS load balancer healthy host count should be monitored | Checks that AWS load balancer healthy host count is being monitored. |
| AWS load balancer should have valid configuration | Checks that AWS load balancer configuration is valid and correct. |
| AWS load balancer host health should be monitored | Checks that AWS load balancer backend host health is being monitored. |
| AWS application load balancer should be protected from direct internet traffic | Checks that AWS application load balancers are not directly exposed to the internet. |
| AWS Lightsail instance CPU utilization should be monitored | Checks that AWS Lightsail instance CPU utilization is being monitored. |
| AWS Lightsail disk backup should be enabled | Checks that AWS Lightsail disk backups are enabled. |
| AWS Lightsail disks should be encrypted | Checks that AWS Lightsail disks are encrypted at rest. |
| AWS CloudTrail log file integrity validation should be enabled | Checks that AWS CloudTrail log file integrity validation is enabled. |
| AWS CloudTrail S3 logging bucket access logging should be enabled | Checks that access logging is enabled on the S3 bucket used by CloudTrail. |
| AWS CloudTrail logging bucket should be protected from direct internet traffic | Checks that the CloudTrail logging S3 bucket is not publicly accessible. |
Tests run automatically every 24 hours. Failed tests generate alerts and appear in your compliance dashboard with remediation guidance. All test results are stored as audit evidence with timestamps.
Compliance Frameworks
This integration provides evidence for the following compliance frameworks:SOC 2
Access controls, monitoring, and change management evidence.
ISO 27001
Asset management, access control, and operations security evidence.
GDPR
Access records and data processing evidence.
Troubleshooting
Integration shows Disconnected
Integration shows Disconnected
Re-authenticate by going to Settings → Integrations → Amazon Web Services (AWS) and clicking Reconnect. This usually happens when API tokens expire or permissions change.
Data is not syncing
Data is not syncing
Verify that the connected account still has the required admin permissions. Try a manual sync from the integration settings page. If the issue persists, check your Amazon Web Services (AWS) API rate limits.
Tests are not generating
Tests are not generating
Tests generate after the first successful data sync. If sync completed but tests are missing, ensure the relevant features are configured in Amazon Web Services (AWS) (e.g., GuardDuty must be enabled in AWS for GuardDuty tests to appear).
Some users are missing from the sync
Some users are missing from the sync
DSALTA syncs all users visible to the connected admin account. If users are missing, verify they are within the scope you configured during setup. Suspended or deleted accounts may not appear.