# AWS

Import assets directly from Route53, ElasticIP, and Elastic Load Balancer by integrating with AWS.

## Halo Security Setup

1. Visit your *Settings → Integrations →* [Add](https://app.halosecurity.com/user/settings/integrations/add).
2. Add the AWS integration.
3. Add a name for the integration.
4. Enter your AWS account information and click **Save Changes**.

{% hint style="info" %}
Keep this page open while configuring the AWS permissions.
{% endhint %}

## AWS Setup

1. In your AWS dashboard navigate to **Identity and Access Management (IAM)**
2. Click **Roles** then **Create role**
3. Select **AWS account**
4. Select **Another AWS account** and **Require external ID**. Add the external ID value found in your [integration settings](https://app.halosecurity.com/user/settings/integrations/).
5. Click **Next**
6. On **Add permissions** click **Next**
7. Add **Role name:** `HaloSecurity`
8. Add **Description**:\
   `Must remain in place for HaloSecurity to function correctly. Email support@halosecurity.com for assistance.`
9. Click **Create role**
10. Select the role you just created: **HaloSecurity**
11. Under **Add permissions,** select **Create inline policy**
12. Click **JSON** and paste the [custom policy](#custom-policy-json) provided below
13. Click **Next**
14. Add Policy name: `HaloSecurity`
15. Click **Create Policy**

{% hint style="success" %}
Once you've created the policy, return to the Halo Security dashboard and click **Run** on the integration to confirm it is working correctly.
{% endhint %}

### Custom Policy JSON

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "HaloSecurity01",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName",
                "s3:ListAllMyBuckets",
                "cloudfront:ListDistributions",
                "organizations:ListRoots",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent"
            ],
            "Resource": "*"
        }
    ]
}
```

### Monitor Dynamic IP Addresses

If you're connected with AWS, Halo Security can monitor assets with dynamic IP addresses by setting an AWS Instance ID for targets. For more information, see the [Scan Configuration](/docs/platform/targets/scan-configuration.md) page.

### Sending Events to AWS

You can also send events from Halo Security to AWS, using the instruction below:

{% content-ref url="/pages/8oH5W6A28SB7rr5IxAtv" %}
[AWS](/docs/integrations/workflow-integrations/aws.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.halosecurity.com/docs/integrations/discovery-integrations/aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.