# Step 1: AWS Infrastructure Setup ## Part A: Link Your Account in Scanner First, register your AWS account with Scanner to get the credentials you'll need: 1. In Scanner, navigate to **Collect** 2. Click the button to Link a New AWS Account (for subsequent accounts go to **AWS Accounts** and click the '+' in the top right corner) 3. Enter your **AWS Account ID** and **Account Name** * Account Name can be anything that helps you identify it (e.g., "Production AWS" or "Security Logs Account") 4. Scanner will display: * **Scanner's AWS Account ID** * **STS External ID** 5. **Keep these values handy**—you'll need them to create resources in AWS ## Part B: Create Required AWS Resources Now choose your setup method to create the infrastructure Scanner needs in your AWS account. **What Gets Created** **IAM Role** * Must be an IAM **Role**, not an IAM User (Scanner cannot assume IAM Users) * Provides least-privilege access: 1. Read access to the S3 buckets containing your log files (for indexing and detection) 2. Read/write access to the S3 buckets where Scanner writes raw logs collected from SaaS/cloud sources 3. Read/write access to the Scanner index bucket **S3 Bucket for Index Files** * Dedicated bucket for Scanner's proprietary index files * Should be in the same AWS region as Scanner's compute instance to minimize data transfer costs * Configured with encryption and lifecycle rules **EventBridge rule & event bus** * Enable EventBridge notifications on your S3 log files buckets so object-created events are sent to Amazon EventBridge. * An EventBridge rule in your account forwards those events to Scanner's event bus (in Scanner's account), which triggers indexing. * If your S3 log files are in multiple regions, you will need the EventBridge rule (and its IAM role) created in each region. ### **How to Create Resources** **Option A: Infrastructure as Code (Recommended)** Use our pre-built templates with the Scanner AWS Account ID and STS External ID from Part A: * [CloudFormation](https://docs.scanner.dev/scanner/getting-started/step-1-aws-infrastructure-setup/aws-cloudformation) * [Terraform](https://docs.scanner.dev/scanner/getting-started/step-1-aws-infrastructure-setup/terraform) Deploy the template in your AWS account. Once complete, your account is linked and ready. **Option B:** [**Guided Manual Setup**](https://docs.scanner.dev/scanner/getting-started/step-1-aws-infrastructure-setup/manual-setup-aws-cloudshell) Once complete, your account is linked and ready **Important - Note the resource names created—you'll need these in Part C:** * IAM Role ARN (format: `arn:aws:iam::123456789012:role/scnr-IntegrationRole`) * Scanner Index Files Bucket Name (e.g., `scanner-index-files-prod`) ## Part C: Finalizing AWS Account Linking in the Scanner UI Return to Scanner to finalize the connection by providing the resource identifiers you just created. 1. In Scanner, go back to **Collect > AWS Accounts > \[Your Account]** 2. Enter the following information: **Scanner Role ARN** * The ARN of the IAM Role you created * Format: `arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME` * This is an output from your CloudFormation/Terraform deployment, or visible in AWS IAM console **Scanner Index Files Bucket Name** * The name of the dedicated S3 bucket for Scanner's index files * This is the bucket created specifically for Scanner (not your existing log buckets) * Example: `scanner-index-files-prod` **Log Files Bucket Names** * List the existing S3 bucket(s) containing your raw logs that you want Scanner to index * Examples: `prod-cloudtrail-logs`, `app-logs-prod` * You can add multiple buckets * The Scanner IAM Role must have read permissions to these buckets 3. Click **Save** or **Complete Setup** Your AWS account is now linked! Scanner can access your log buckets and will store index files in the dedicated bucket you created. ## Troubleshooting For help resolving AWS configuration and permission errors, see [Troubleshooting AWS Errors](https://docs.scanner.dev/scanner/getting-started/step-1-aws-infrastructure-setup/troubleshooting-aws-errors).