Skip to main content

Overview

Connect your AWS account to give TierZero read and (optional) write access to your cloud infrastructure. TierZero uses a cross-account IAM role to query CloudWatch metrics and logs, inspect resource configurations, and correlate infrastructure state with incidents without storing long-lived credentials.

Prerequisites

  • Administrative access to your AWS account
  • Permission to create IAM roles and attach policies

Setup Instructions

Step 1: Navigate to Integration Settings

  1. Log into your TierZero dashboard
  2. Go to Settings → Integrations
  3. Click Connect next to AWS
  4. Click View Instructions to see a setup guide with values specific to your organization (Account ID, External ID)

Step 2: Create an IAM Role

Create a new IAM role in your AWS account that TierZero can assume via cross-account access.
  1. In the AWS Console, go to IAM → Roles → Create role
  2. Select Custom trust policy and paste the trust policy below (replacing the placeholder values with the ones from the TierZero setup wizard):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::851725519002:role/tierzero-managed"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your-external-id>"
        }
      }
    }
  ]
}
  1. Attach the following AWS managed policies (read-only; write policies can be added based on your needs):
PolicyPurpose
CloudWatchReadOnlyAccessLogs, metrics, and alarms
AmazonRDSReadOnlyAccessRDS instance metadata
AmazonS3ReadOnlyAccessS3 bucket metadata
AWSLambda_ReadOnlyAccessLambda function metadata
AmazonEC2ReadOnlyAccessEC2 instance metadata
AmazonEC2ContainerRegistryReadOnlyECR image metadata
ElasticLoadBalancingReadOnlyLoad balancer metadata
AutoScalingReadOnlyAccessAuto Scaling group metadata
IAMReadOnlyAccessIAM role and policy metadata
AWSBillingReadOnlyAccessBilling and cost data
  1. Name the role (e.g., TierZeroAccess) and click Create role

Step 3: Provide the Role ARN

  1. Copy the IAM Role ARN from your AWS console
  2. Paste it into the TierZero setup wizard
  3. Click Connect

Terraform Setup

If you manage infrastructure as code, use the following Terraform configuration to create the cross-account IAM role.
Replace the sts:ExternalId value with the External ID shown in your TierZero setup wizard.
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

variable "role_name" {
  description = "Name for the IAM role"
  type        = string
  default     = "TierZeroAccess"
}

variable "external_id" {
  description = "External ID from TierZero setup wizard"
  type        = string
}

# IAM Role with Trust Policy

resource "aws_iam_role" "tierzero" {
  name = var.role_name

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::851725519002:role/tierzero-managed"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.external_id
          }
        }
      }
    ]
  })

  tags = {
    ManagedBy = "Terraform"
    Purpose   = "TierZero cross-account access"
  }
}

# Managed Policies

locals {
  policies = [
    "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess",
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    "arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
    "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
    "arn:aws:iam::aws:policy/IAMReadOnlyAccess",
    "arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly",
    "arn:aws:iam::aws:policy/AutoScalingReadOnlyAccess",
    "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess",
  ]
}

resource "aws_iam_role_policy_attachment" "tierzero" {
  for_each   = toset(local.policies)
  role       = aws_iam_role.tierzero.name
  policy_arn = each.value
}

output "role_arn" {
  description = "ARN of the TierZero IAM role — provide this to TierZero"
  value       = aws_iam_role.tierzero.arn
}
Apply with: 
terraform init
terraform apply -var="external_id=<your-external-id>"
Then paste the outputted role_arn into the TierZero setup wizard.

Kubernetes (EKS)

If your team uses Amazon EKS, you can grant TierZero access to your Kubernetes clusters for inspecting workloads, pods, and cluster state during investigations.

Step 1: Attach the EKS Policy

Attach the AmazonEKSMCPReadOnlyAccess managed policy to the IAM role you created above. In the AWS Console:
  1. Go to IAM → Roles and select your TierZero role
  2. Click Add permissions → Attach policies
  3. Search for AmazonEKSMCPReadOnlyAccess and attach it
Or with Terraform, add the policy to the locals.policies list: 
"arn:aws:iam::aws:policy/AmazonEKSMCPReadOnlyAccess",

Step 2: Create an EKS Access Entry

Grant the IAM role access to your EKS cluster:
  1. In the AWS Console, go to EKS → Clusters → your cluster → Access
  2. Click Create access entry
  3. Select the TierZero IAM role as the principal
  4. Assign the AmazonEKSViewPolicy access policy with Cluster scope
  5. Click Create
Repeat for each EKS cluster you want TierZero to access.

Step 3: Allow TierZero’s IP Addresses (If Required)

If your EKS cluster’s API server endpoint restricts access by IP, you need to add TierZero’s outbound IP addresses to the allowlist:
  1. In the AWS Console, go to EKS → Clusters → your cluster → Networking
  2. Under API server endpoint access, click Manage
  3. Add TierZero’s outbound IP addresses (available in your TierZero dashboard under Settings → Integrations → AWS)
This step is only required if your EKS cluster has IP-based restrictions on the API server endpoint. Clusters with public endpoint access enabled without CIDR restrictions do not need this.

What TierZero Accesses

  • CloudWatch Logs: Query log groups and log streams
  • CloudWatch Metrics: Query metrics and alarms
  • Resource metadata: EC2, RDS, Lambda, S3, ELB, and ASG configurations
  • EKS clusters: Kubernetes workloads, pods, and cluster state (if configured)
  • IAM metadata: Roles, policies, and trust relationships
  • Billing data: Cost and usage information

Security

  • TierZero uses cross-account IAM role assumption, so no long-lived credentials are stored
  • An External ID is required to prevent confused deputy attacks
  • The default policies are read-only; write access is opt-in based on your needs
  • Revoke access at any time by deleting the IAM role or updating its trust policy
  • All API calls are logged in AWS CloudTrail

Troubleshooting

”Access Denied” Errors

  • Verify the IAM role’s trust policy allows TierZero’s account (851725519002) to assume it
  • Check that the External ID matches the value shown in the TierZero setup wizard
  • Ensure all required managed policies are attached to the role

EKS Cluster Not Accessible

  • Confirm the EKS access entry exists for the TierZero IAM role
  • Verify the AmazonEKSViewPolicy is assigned with Cluster scope
  • If using IP restrictions, ensure TierZero’s outbound IPs are allowlisted

Missing Data

  • Verify the IAM role has the specific policy for the data type you expect (e.g., CloudWatchReadOnlyAccess for logs)
  • Check that the role ARN entered in TierZero matches the role in your AWS account