Skip to main content
The AWS integration provides visibility into cloud infrastructure activity and enables response to cloud-based threats.

Capabilities

Query Tools

ToolWhat It Does
CloudTrail searchSearch API activity by username, access key, IP, event type
IAM role analysisScan all roles for over-privileged access
Single role analysisDeep security analysis of a specific role
Auth model discoveryIdentify how users authenticate (Identity Center, SAML, IAM, etc.)
Identity mappingMap user email to AWS role sessions
CrowdStrike correlationFind AWS sessions related to endpoint alerts

Action Tools

ActionDescription
Terminate EC2 instancesStop and remove compromised instances
Disable IAM userDeactivate all access keys for a user
Delete IAM userRemove user, keys, policies, group memberships, MFA
Delete access keyRemove a specific compromised access key
Detach admin policiesRemove AdministratorAccess, PowerUserAccess, IAMFullAccess
Block IP in WAFAdd IP to WAF IP set to block traffic
All actions require explicit approval before execution.

Setup

Connection Method

Hiro connects via IAM AssumeRole with temporary credentials. You create an IAM role in your AWS account that Hiro can assume.
1

Create an IAM role

Create a new IAM role in your AWS account:
  1. Go to IAM > Roles > Create role
  2. Select Custom trust policy
  3. Use this trust policy (replace YOUR_EXTERNAL_ID with a unique identifier):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::605862532274:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
The External ID can be any unique string (e.g., your organization ID, a UUID, or a random string). It prevents confused deputy attacks by ensuring only authorized parties can assume the role.
2

Attach permissions

Attach the AWS managed policy for your desired access level:For investigations (recommended):
  • arn:aws:iam::aws:policy/ReadOnlyAccess - Full read access across all AWS services
Alternative options:
  • arn:aws:iam::aws:policy/SecurityAudit - Security-focused read access
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess - Limited read access (not recommended - missing IAM visibility)
For remediation actions (optional):Create a custom policy with:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IAMRemediation",
      "Effect": "Allow",
      "Action": [
        "iam:UpdateAccessKey",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DetachUserPolicy",
        "iam:RemoveUserFromGroup",
        "iam:DeleteLoginProfile"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EC2Remediation",
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "WAFRemediation",
      "Effect": "Allow",
      "Action": [
        "wafv2:UpdateIPSet"
      ],
      "Resource": "*"
    }
  ]
}
3

Connect in Hiro

In Hiro, go to Settings > Integrations > AWS:
  1. Enter the Role ARN (e.g., arn:aws:iam::123456789012:role/HiroSecurityRole)
  2. Enter the External ID (must match what you configured in the trust policy)
  3. Click Connect

Investigation Examples

Search CloudTrail

Show me all API calls by john@company.com in the last 24 hours
Hiro searches CloudTrail and returns:
  • API actions performed
  • Source IP addresses
  • Success/failure status
  • Request parameters

Investigate an access key

What has access key AKIA... done in the last week?

Analyze IAM permissions

What permissions does the AdminRole have? Is it over-privileged?
Hiro analyzes the role and reports:
  • Attached policies
  • Effective permissions
  • Security issues and risk score
  • Recommendations

Discover auth patterns

How do users authenticate to AWS in this account?
Hiro analyzes CloudTrail to identify:
  • Identity Center
  • SAML federation
  • OIDC federation
  • IAM users
  • Access keys

Remediation Actions

Example action proposal: 
PROPOSED ACTION: Delete AWS Access Key
──────────────────────────────────────
Access Key: AKIA...XYZ
Owner: john@company.com
Reason: Key used from suspicious IP after Okta compromise
Evidence:
  • Key used from 185.220.101.1 (Tor exit node)
  • 47 API calls in 5 minutes (unusual volume)
  • Attempted AssumeRole to AdminRole
Confidence: High (94%)

[Approve]  [Reject]

Multi-Account Support

To monitor multiple AWS accounts:
  1. Create the IAM role in each account
  2. Add each Role ARN in Hiro’s AWS integration settings
  3. Hiro will aggregate activity across all accounts during investigations

What’s Not Supported

  • S3-specific tools
  • RDS, Lambda, DynamoDB tools
  • CloudFormation management

Troubleshooting

”Access Denied” on AssumeRole

If you see errors like User is not authorized to perform: sts:AssumeRole:
  1. Verify the trust policy - Ensure Hiro’s account (605862532274) is in the Principal
  2. Check the External ID - The External ID in Hiro must exactly match your trust policy condition
  3. Confirm the Role ARN - Double-check for typos in the role name or account ID

”Access Denied” on specific actions

If AssumeRole succeeds but queries fail (e.g., iam:GetRole denied):
  • Your role is missing permissions. Attach ReadOnlyAccess for full read access
  • ViewOnlyAccess is not sufficient - it lacks IAM visibility

Missing events

CloudTrail events can take up to 15 minutes to appear. Recent activity may not show immediately.

Multi-account issues

When monitoring multiple accounts, ensure the IAM role exists in each account with the same trust policy pointing to Hiro’s account.

Next Steps

Okta

Connect identity management.

CrowdStrike

Connect endpoint protection.