AWS Workloads
AWS Workloads integration allows your product to fetch metadata about compute workloads running in AWS—such as ECS (Elastic Container Service) tasks, EKS (Elastic Kubernetes Service) clusters, Fargate containers, and their associated IP addresses or instance details. This helps in identifying running workloads, analyzing containerized environments, and maintaining workload visibility for security or compliance monitoring.
Credentials Needed
- Access Key ID
- Secret Access Key
These credentials belong to an IAM User or IAM Role with read-only permissions.
If your integration runs inside AWS (EC2, ECS, or Lambda), use an IAM Role with the required permissions instead of static keys.
IAM Permissions
To discover and read information about AWS workloads (ECS, EKS, Fargate), the following permissions are required:
| Service | Actions |
|---|---|
| ECS (Elastic Container Service) | ecs:ListClusters, ecs:DescribeClusters, ecs:ListTasks, ecs:DescribeTasks, ecs:ListServices, ecs:DescribeServices, ecs:ListContainerInstances, ecs:DescribeContainerInstances |
| EKS (Elastic Kubernetes Service) | eks:ListClusters, eks:DescribeCluster, eks:ListNodegroups, eks:DescribeNodegroup |
| EC2 (Networking Info for Tasks/Nodes) | ec2:DescribeNetworkInterfaces |
| Optional (Tags) | tag:GetResources |
IAM Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSReadOnly",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances"
],
"Resource": "*"
},
{
"Sid": "EKSReadOnly",
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup"
],
"Resource": "*"
},
{
"Sid": "NetworkingReadOnly",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Sid": "OptionalTagAccess",
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
}
]
}
Creating Users
- Go to AWS Console → IAM → Policies → Create Policy → JSON
- Paste the above JSON and name it, e.g., AWSWorkloadsReadOnlyPolicy.
- Go to IAM → Users → Add User
- Name the user (e.g., AWSWorkloadIntegrationUser)
- Select Programmatic Access
- Attach the AWSWorkloadsReadOnlyPolicy
- Complete user creation and save the Access Key ID and Secret Access Key.
Alternatively, if the integration runs within AWS, create an IAM Role and attach the same policy to your EC2, ECS, or Lambda instance.
Test Connectivity
Run the following AWS CLI commands to verify the permissions and connectivity:
# List ECS Clusters
aws ecs list-clusters --region us-east-1
# List ECS Tasks for a Cluster
aws ecs list-tasks --cluster <cluster_name> --region us-east-1
# List EKS Clusters
aws eks list-clusters --region us-east-1
# Describe an EKS Cluster
aws eks describe-cluster --name <cluster_name> --region us-east-1
# Check Network Interfaces (for container/task IPs)
aws ec2 describe-network-interfaces --region us-east-1
If these commands return data successfully without access errors, the integration setup is correct.
Save the Results in the Platform and Create Connection
Securely store the credentials in your platform:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_REGION
Configure a connection for AWS Workloads Integration.
Test the connection by listing ECS/EKS clusters and validating workload discovery.
Best Practices
- Always follow the principle of least privilege—use read-only access.
- Rotate access keys periodically or use IAM Roles for AWS-native integrations.
- Limit policy scope to only the regions and accounts needed.
- Use AWS Secrets Manager or encrypted credential storage in your product.
- Schedule regular credential validation to ensure continuous access.
- If pulling data across multiple regions, use AWS SDK's multi-region listing strategy.