Amazon Web Services
The AWS integration connects HomeBase to CloudTrail, GuardDuty, Security Hub, IAM, and Config — ingesting threat findings, configuration changes, and identity events across all monitored accounts and regions.
What's ingested
- CloudTrail — API call history, IAM mutations, unusual access patterns.
- GuardDuty — threat detections: malware, compromised credentials, unusual network behaviour.
- Security Hub — aggregated findings from GuardDuty, Inspector, Macie, and third-party tools.
- IAM — user, role, and policy inventory; privilege escalation detection.
- AWS Config — configuration change history and compliance rules.
Setup: cross-account IAM role
HomeBase uses a read-only cross-account IAM role to access your AWS account. No long-lived credentials are stored.
1. Create the IAM role
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "hld-ext-YOUR_TENANT_ID"
}
}
}
]
}2. Attach permissions
The role needs the following AWS managed policies:
| Name | Type | Required | Description |
|---|---|---|---|
| SecurityAudit | managed policy | No | Read access to security-relevant services. |
| AmazonGuardDutyReadOnlyAccess | managed policy | No | Read GuardDuty findings. |
| AWSSecurityHubReadOnlyAccess | managed policy | No | Read Security Hub aggregated findings. |
3. Register the integration
bash
POST /v1/integrations
{
"type": "aws",
"tenant_id": "ten_01hxyz",
"credentials": {
"role_arn": "arn:aws:iam::YOUR_ACCOUNT_ID:role/HLDHomeBaseRole",
"external_id": "hld-ext-YOUR_TENANT_ID"
},
"config": {
"regions": ["ap-southeast-2", "us-east-1"],
"ingest_cloudtrail": true,
"ingest_guardduty": true,
"ingest_security_hub": true
}
}Note:HomeBase assumes the role using STS with the external ID as a confused deputy protection measure. Never share your external ID publicly.