# AWS

Import assets directly from Route53, ElasticIP, and Elastic Load Balancer by integrating with AWS.

## Halo Security Setup

1. Visit your *Settings → Integrations →* [Add](https://app.halosecurity.com/user/settings/integrations/add).
2. Add the AWS integration.
3. Add a name for the integration.
4. Enter your AWS account information and click **Save Changes**.

{% hint style="info" %}
Keep this page open while configuring the AWS permissions.
{% endhint %}

## AWS Setup

1. In your AWS dashboard navigate to **Identity and Access Management (IAM)**
2. Click **Roles** then **Create role**
3. Select **AWS account**
4. Select **Another AWS account** and **Require external ID**. Add the external ID value found in your [integration settings](https://app.halosecurity.com/user/settings/integrations/).
5. Click **Next**
6. On **Add permissions** click **Next**
7. Add **Role name:** `HaloSecurity`
8. Add **Description**:\
   `Must remain in place for HaloSecurity to function correctly. Email support@halosecurity.com for assistance.`
9. Click **Create role**
10. Select the role you just created: **HaloSecurity**
11. Under **Add permissions,** select **Create inline policy**
12. Click **JSON** and paste the [custom policy](#custom-policy-json) provided below
13. Click **Next**
14. Add Policy name: `HaloSecurity`
15. Click **Create Policy**

{% hint style="success" %}
Once you've created the policy, return to the Halo Security dashboard and click **Run** on the integration to confirm it is working correctly.
{% endhint %}

### Custom Policy JSON

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "HaloSecurity01",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName",
                "s3:ListAllMyBuckets",
                "cloudfront:ListDistributions",
                "organizations:ListRoots",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent"
            ],
            "Resource": "*"
        }
    ]
}
```

### Monitor Dynamic IP Addresses

If you're connected with AWS, Halo Security can monitor assets with dynamic IP addresses by setting an AWS Instance ID for targets. For more information, see the [Scan Configuration](https://docs.halosecurity.com/docs/platform/targets/scan-configuration) page.

### Sending Events to AWS

You can also send events from Halo Security to AWS, using the instruction below:

{% content-ref url="../workflow-integrations/aws" %}
[aws](https://docs.halosecurity.com/docs/integrations/workflow-integrations/aws)
{% endcontent-ref %}