Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The AWS integration reads security and configuration data from your AWS account to provide evidence for infrastructure controls. It uses a read-only IAM role — Matproof never modifies your AWS environment. Evidence collected automatically:
  • IAM users, roles, and policy assignments
  • Root account MFA status
  • CloudTrail logging enabled and configured
  • S3 bucket encryption and public access settings
  • Security groups with overly permissive rules (0.0.0.0/0 ingress)
  • KMS key rotation status
  • Password policy strength settings
  • Unused IAM credentials (access keys not used in 90+ days)
  • AWS Config enabled status
  • GuardDuty enabled status

Prerequisites

  • AWS account with permission to create IAM roles
  • Matproof Admin or Owner role
  • Ability to run a CloudFormation template or create IAM resources manually

Connecting AWS

Matproof uses a cross-account IAM role with read-only permissions. This is the AWS-recommended pattern for third-party integrations.
  1. Go to Settings → Integrations → AWS → Connect
  2. Click Deploy CloudFormation Stack
  3. You will be redirected to your AWS Console with the CloudFormation template pre-loaded
  4. Review the template — it creates a single IAM role with the ReadOnlyAccess managed policy
  5. Click Create stack
  6. Once the stack is created, copy the Role ARN from the Outputs tab
  7. Paste the Role ARN back in Matproof and click Verify connection

Option B — Manual IAM role

  1. In AWS IAM, create a new role with Another AWS account as the trusted entity
  2. Enter Matproof’s AWS account ID (shown in the integration setup screen)
  3. Attach the ReadOnlyAccess managed policy
  4. Add a condition: sts:ExternalId = the external ID shown in Matproof (prevents confused deputy attacks)
  5. Copy the Role ARN and paste it in Matproof
Matproof only ever calls sts:AssumeRole to assume your read-only role. It cannot elevate privileges or access resources outside the ReadOnlyAccess scope.

Multi-Account Setup

If you use AWS Organizations with multiple accounts, you can connect each account separately. For large organizations, Matproof supports an Organizations-level connection that scans all member accounts using a delegated admin role. Contact support to set this up.

What Gets Mapped to Which Controls

Evidence CollectedControl Examples
Root account MFA enabledPrivileged access controls (SOC 2 CC6, ISO 27001 A.5.16)
CloudTrail enabled in all regionsLogging and monitoring controls (DORA Art. 10)
No S3 buckets with public read/writeData protection controls
IAM password policy meets requirementsAccess control policy controls
No access keys unused for 90+ daysAccount lifecycle controls
KMS key rotation enabledCryptography controls (ISO 27001 A.8.24)
GuardDuty enabledThreat detection controls
Security groups — no 0.0.0.0/0 on port 22/3389Network security controls

Interpreting Failed Checks

Go to Integrations → AWS → Evidence to see all checks with pass/fail status. Failed checks appear as gaps on the relevant control. Click any failed check to see:
  • Which specific resource is failing (e.g., bucket name, security group ID)
  • What the expected configuration is
  • A direct link to the AWS Console to fix it
Sort by Severity: High to prioritize the checks that will most impact your compliance score. Root account MFA and CloudTrail are always the highest severity.

Common Issues

”Connection verification failed — invalid role ARN”

Check that:
  1. The external ID in Matproof matches what you configured in the IAM role trust policy
  2. The role ARN is copied exactly (including the account ID)
  3. The Matproof AWS account ID is correctly listed as a trusted principal in the role

”CloudTrail shows as failing but we have it enabled”

Matproof checks that CloudTrail is enabled in all regions with a multi-region trail, and that log file validation is enabled. A trail that only covers your primary region will fail this check.

”Some checks show N/A”

Checks for services you don’t use (e.g., GuardDuty in a region you don’t operate in) show as N/A. These do not affect your compliance score — they are skipped in the gap calculation.

Supported Regions

Matproof scans all standard AWS regions. GovCloud and China regions are not currently supported. Contact support if you require coverage for these.

Disconnecting

Go to Settings → Integrations → AWS → Disconnect. Then delete the IAM role from your AWS account to fully revoke access.