Inventory IAM users, roles and policies via cross-account role assumption. Also pulls console + AssumeRole sign-in events from CloudTrail.
Source connector — pulls identity and access data from AWS IAM into ComplianceScout where it is scored against your compliance frameworks and violation rules.
After a successful sync, the following data is available in your ComplianceScout dashboard for violation detection and reporting.
These fields are collected when you add the connector in the ComplianceScout dashboard. Secrets are encrypted at rest using AES-256-GCM and are never logged.
| Field | Type | Required | Notes |
|---|---|---|---|
| Role ARN | Text | Required | arn:aws:iam::<acct>:role/ComplianceScoutReadOnly |
| External ID | Text | Required | Issued by the prepare flow; ties the role trust policy to your tenant. |
| CloudTrail region | Text | Optional | Optional. Region of your CloudTrail trail. Defaults to us-east-1 if blank. |
Follow these steps to gather the credentials above and connect AWS IAM to ComplianceScout.
In the AWS IAM console, create a new IAM role with a custom trust policy that allows ComplianceScout's AWS account to assume it using an external ID.
Attach a read-only policy granting: iam:List*, iam:Get*, cloudtrail:LookupEvents, and s3:GetBucketAcl to the role.
Copy the Role ARN from the role summary page (format: arn:aws:iam::123456789012:role/YourRoleName).
In ComplianceScout, go to Data & Secrets → Integrations → Add Connector → AWS IAM. The external ID is displayed in the form — add it to your role's trust policy before saving.
Enter the Role ARN and click Test Connection to verify cross-account access, then Save.
Start a free trial — your tenant is provisioned instantly and you can wire up this integration from the connectors page.