AWS inventory scanning (single account)
Updated: October 30, 2025
The AWS Inventory integration enables FireTail to automatically scan and discover your API and AI resources in AWS. The integration improves visibility and helps manage API and AI security risks by regularly scanning for new or updated resources. Using AWS IAM roles and CloudFormation templates, FireTail gains the necessary permissions to retrieve the API and AI metadata and updates the selected FireTail project with the discovered resources. You can configure scan regions, set update frequency, and filter by tags to focus on specific environments. To set up the integration:
-
In the side menu, go to Platform, then select Integrations.
-
Click Create Integration. Filter by selecting the Discovery category.
-
Select AWS Inventory Scanning.
-
In the Name of Integration field, enter a name for the integration. The integration is Enabled by default. Toggle off to make inactive.
-
Choose your deployment method. You can either:
- Use a Launch CloudFormation template - this is a template that adds a role to the account.
- Manually deploy. To do this, click Manual setup of IAM Role and follow the on-screen instructions.
Using the CloudFormation template
- When using the template, select the Launch IAM role CloudFormation template heading.
- Log in to AWS and return to the FireTail platform.
- Click Launch Cloudformation to launch the template. This opens in a new window.
- Select the checkbox; I acknowledge that AWS CloudFormation might create IAM resources. Click Create stack.
- When the CloudFormation Stack has a status of CREATE_COMPLETE, copy the FireTailRoleARN from the Outputs tab.
Manual setup
- Log into the AWS Console.
- Access the IAM Roles section. Click Create role.
- Select Custom trust policy as the trusted entity type. Paste the following trust policy, replacing the
sts:ExternalIdvalue with your FireTail Org UUID (this is populated in the policy in the platform):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::453671210445:role/firetail-apigateway-assume-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "00000000-0000-0000-0000-0000000000"
}
}
}
]
}- Click Next.
- Search for and select SecurityAudit from the permissions policy.
- Search for and select AmazonSageMakerReadOnly from the permissions policy.
- Search for and select AmazonBedrockReadOnly from the permissions policy. Click Next.
- Enter a name for the role and click Create role.
- Search for the role you created.
- In the permissions policy section, click Add permissions and select Create inline policy.
- Copy and paste the following JSON policy in the JSON tab:
- Click Next, name the policy, and click Create policy.
- Copy the FireTailRoleARN from the role's summary page.
- Return to the FireTail platform. Paste the copied value in the AWS Role ARN field.
- Select a project from the dropdown, or click Create to create a new project. Discovered APIs will be grouped under this project. Learn more about projects here.
- Select the AWS Regions you want to scan.
- Enter a Scan Frequency. This is how often the scan is done in hours. The minimum is 24 hours.
- Filter on AWS resource (optional). Click Add key - Tags enable you to filter on the environment. Adding tags enables you to limit the scanning of AWS resources with the defined tags. For example, filter by
env:prodto limit the scanning of AWS resources to your production environment. - Click Submit to complete the setup.
View discovered resources
The discovered APIs can be viewed by going to API in the side menu, and selecting Inventory. The discovered AI resources can be viewed by going to AI in the side menu, and selecting Inventory.
When the APIs have been populated on the platform you can then set up API logging using the FireTail API Gateway logging integration.