Integrate with AWS


Bridgecrew integrates with AWS natively, using CloudFormation as a standardized mechanism to deploy all required configurations.

Getting Started

  • AWS Read Access: allows Bridgecrew to perform read-only API calls. These calls enable basic configuration scanning and evaluation.
  • AWS Remediation Stack: this optional add-on allows you to remediate policy violations by modifying the configuration of your cloud environment.

The diagram below illustrates the Bridgecrew - AWS Remediation Stack flow. Note that Bridgecrew never has direct write access into your account.


Resources that will be created

You can use the CloudFormation change set or terraform plan output to view a list of the resources that will be created prior to actually creating them.

The AWS read only integration creates the following resources:

  • IAM role with AWS managed SecurityAudit policy
  • An SNS notification message to notify Bridgecrew of the integration

The remediation integration creates the following resources:

  • SQS queue
  • Lambda function
  • IAM lambda service role
  • SSM parameter for Bridgecrew token

How to Integrate

Part 1 - In Bridgecrew

  1. From Integrations Catalog, under Cloud Providers, select AWS.
  1. Select Integration type (AWS Remediation Stack or AWS Read Access).
  1. Configure your account by clicking Launch Stack. You'll be redirected to the AWS sign in page in a new tab.

Part 2 - In AWS

To permit creation of IAM resources, sign in to your user, then click Next .




The CloudFormation template for AWS Remediation Stack can be reviewed here.

To Create Stack Page for AWS Read Only


To Create Stack Page for Remediation Stack




  1. If you do not set up AWS Remediation Stack, you will be prompted to do so the first time you attempt to Remediate a violation via Playbook; see Step 4: Investigate Incidents.

  2. From time to time, you may be prompted to redeploy the CloudFormation stack to provide additional roles required for performing to perform remediation.