Overview
ZapStack connects to your AWS accounts using cross-account IAM roles. This is the AWS-recommended approach for granting third-party access and provides:- No credential sharing
- Granular permission control
- Easy revocation
- Full audit trail via CloudTrail
Quick Setup
The fastest way to connect is using our CloudFormation template:1
Open ZapStack Dashboard
Navigate to Settings > AWS Accounts in your ZapStack dashboard.
2
Click Add Account
Click the Add Account button to start the connection wizard.
3
Launch CloudFormation
Click Launch Stack to open AWS CloudFormation in a new tab with our template pre-loaded.
4
Create Stack
Review the template parameters and click Create Stack.
5
Wait for Completion
The stack creates in under a minute. Once complete, return to ZapStack.
Manual Setup
If you prefer to create the IAM role manually or need to customize permissions:1. Create the IAM Role
Create a new IAM role with the following trust policy:Replace
123456789012 with ZapStack’s AWS account ID and YOUR_EXTERNAL_ID with the external ID shown in your dashboard.2. Attach Permissions
Attach the required IAM policies. See IAM Role for the complete policy document.3. Register in ZapStack
Enter the role ARN in your ZapStack dashboard to complete the connection.Multiple Accounts
To connect multiple AWS accounts:- Repeat the setup process for each account
- Use AWS Organizations StackSets for bulk deployment
- Each account gets its own IAM role
Troubleshooting
Connection Failed
If the connection test fails:- Verify the role ARN is correct
- Check the trust policy includes ZapStack’s account ID
- Confirm the external ID matches
- Ensure the role has the required permissions
Access Denied Errors
If scans show access denied errors:- Review the IAM policy attached to the role
- Check for Service Control Policies (SCPs) that may restrict access
- Verify the role has permissions for all regions you want to scan