Skip to content

AWS

The AWS integration connects Escape ASM to your AWS account through a cross-account IAM role. Escape assumes your role via STS AssumeRole using a shared External ID. No long-lived access keys are stored.

Authentication differs from AWS Account, but ASM data pull is identical: CloudFront, API Gateway, Route 53, Load Balancers, and Lambda.

Discovered Resources

The AWS integration automatically discovers and inventories the following services from your AWS account:

  • CloudFront Distributions: CDN configurations and domain names serving your applications
  • API Gateway Domain Names: Custom domain names configured for API Gateway endpoints
  • API Gateway V2 APIs: HTTP and WebSocket APIs (API Gateway V2)
  • Route 53 DNS Records: DNS zones and records managed by Route 53
  • Load Balancers: Application Load Balancers (ALB), Network Load Balancers (NLB), and Classic Load Balancers exposing services
  • Lambda Functions: Serverless functions with exposed endpoints via Function URLs or API Gateway integrations

These discovered resources are automatically classified as Assets (APIs, DNS records, WebApps) in Escape's ASM, enabling continuous security monitoring and testing.

Create a Cross-Account IAM Role

  1. Create an IAM role in your AWS account for Escape to assume
  2. Attach the ReadOnlyAccess policy to the role
  3. Set the role trust policy using the template below
  4. Copy the role ARN (arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME)

Trust Policy Template

Replace YOUR_EXTERNAL_ID with the External ID from the Escape integration form (format: escape-{uuid}). Replace <ESCAPE_ACCOUNT_ID> with the AWS account ID for your Escape environment (see note below).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ESCAPE_ACCOUNT_ID>:role/escape-integration"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

On production Escape (app.escape.tech), use account ID 178659809426. For other Escape environments, confirm the account ID with your Escape contact before finalizing the trust policy.

Connect in Escape

  1. Open the AWS integration page
  2. Copy the External ID shown in the form and share it with your AWS administrator for the trust policy
  3. Enter the External integration role ARN from your AWS account
  4. Save the integration and wait for validation to complete

Validation checks that Escape can assume your role through the full cross-account chain.

Programmatic Setup

Public API

Create an integration with POST /v3/integrations/aws:

curl -X POST https://public.escape.tech/v3/integrations/aws \
  -H "X-ESCAPE-API-KEY: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production AWS",
    "parameters": {
      "external_integration_role_arn": "arn:aws:iam::123456789012:role/EscapeIntegration",
      "external_id": "escape-00000000-0000-4000-8000-000000000000"
    }
  }'
Field Description
external_integration_role_arn ARN of the IAM role Escape assumes in your account
external_id External ID required in your role trust policy (escape-{uuid})

See the OpenAPI specification (createawsIntegration, listawsIntegrations, etc.) for the full request and response schemas.

CLI

escape-cli integrations create --kind aws <<'EOF'
{
  "name": "Production AWS",
  "parameters": {
    "external_integration_role_arn": "arn:aws:iam::123456789012:role/EscapeIntegration",
    "external_id": "escape-00000000-0000-4000-8000-000000000000"
  }
}
EOF

Generate a fresh External ID before create (for example escape-$(uuidgen | tr '[:upper:]' '[:lower:]')) and use the same value in your AWS trust policy.