# AWS Accounts Integration Connect DarcyIQ directly to your AWS accounts for real-time cloud intelligence. **Query your infrastructure, analyze costs, and get Trusted Advisor recommendations** by asking natural language questions about your actual AWS environment. {% hint style="success" %} **Your Cloud, Your Data**: Ask "What's our monthly AWS spend by service?" or "Show me all unencrypted S3 buckets" and get instant, accurate answers from your live AWS environment. {% endhint %} ## Overview The AWS Accounts Integration transforms DarcyIQ into your intelligent cloud assistant with direct access to your AWS accounts. | Capability | Function | Business Value | | ------------------------ | ---------------------------------- | ---------------------------------- | | **Multi-Account Access** | Query across all your AWS accounts | Complete infrastructure visibility | | **Real-Time Data** | Live information from AWS APIs | Always current insights | | **Cost Analysis** | Detailed spend breakdowns | Optimize cloud costs | | **Security Insights** | Identify compliance issues | Reduce security risks | | **Resource Discovery** | Find resources across regions | Complete asset inventory | ## Key Features ### Infrastructure Intelligence Query your AWS environment using natural language: | Query Type | Example Questions | Value | | ---------------------- | --------------------------------------------- | ----------------------------------- | | **Cost Analysis** | "What's our highest cost service this month?" | Identify optimization opportunities | | **Resource Inventory** | "List all EC2 instances in us-east-1" | Asset management | | **Security Audit** | "Show me S3 buckets without encryption" | Compliance verification | | **Performance Review** | "Which RDS instances are over 80% CPU?" | Performance optimization | | **Unused Resources** | "Find unattached EBS volumes" | Cost reduction | ### Supported AWS Services Comprehensive coverage of AWS services: | Service Category | Supported Services | Common Queries | | ---------------- | ------------------------------ | -------------------------------------- | | **Compute** | EC2, Lambda, ECS, EKS | Instance types, utilization, scaling | | **Storage** | S3, EBS, EFS, Glacier | Bucket policies, encryption, lifecycle | | **Database** | RDS, DynamoDB, ElastiCache | Performance, backups, capacity | | **Networking** | VPC, ELB, CloudFront, Route53 | Configuration, traffic, DNS | | **Security** | IAM, KMS, Security Groups | Permissions, keys, access rules | | **Monitoring** | CloudWatch, CloudTrail, Config | Metrics, logs, compliance | | **Analytics** | Athena, EMR, Kinesis | Data processing, streaming | | **Management** | Organizations, Cost Explorer | Account structure, billing | ## Security Architecture ### Cross-Account IAM Roles Security-first design using AWS best practices: {% stepper %} {% step %} **Create IAM Role** Set up a cross-account role in your AWS account with read-only permissions. {% endstep %} {% step %} **Configure Trust Policy** Establish trust relationship with DarcyIQ's AWS account using External ID. {% endstep %} {% step %} **Define Permissions** Grant specific read permissions for services you want to query. {% endstep %} {% step %} **External ID Protection** Use mandatory External ID to prevent confused deputy attacks. {% endstep %} {% step %} **Assume Role Access** DarcyIQ assumes your role only when you make queries. {% endstep %} {% endstepper %} ### Security Features | Security Control | Implementation | Benefit | | -------------------- | --------------------------------- | ---------------------------- | | **Read-Only Access** | No write permissions granted | Zero modification risk | | **External ID** | Required unique identifier | Prevents unauthorized access | | **Session Limits** | Temporary credentials with expiry | Minimized exposure | | **Audit Logging** | CloudTrail tracks all API calls | Complete audit trail | | **Encryption** | TLS for all API communications | Data protection in transit | | **Least Privilege** | Only necessary permissions | Minimal access scope | ## Setup Process ### Prerequisites Before setting up the integration: | Requirement | Description | How to Verify | | ------------------- | --------------------------------- | --------------------- | | **AWS Account** | Active AWS account with resources | Log into AWS Console | | **IAM Permissions** | Ability to create IAM roles | Check IAM dashboard | | **External ID** | Unique identifier from DarcyIQ | Provided during setup | | **Trust Account** | DarcyIQ's AWS account ID | Provided during setup | ### Step-by-Step Configuration #### 1. Create IAM Role ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::DARCYIQ_ACCOUNT:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` #### 2. Attach Permissions Policy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "s3:List*", "s3:GetBucketPolicy", "s3:GetBucketEncryption", "rds:Describe*", "cloudwatch:GetMetric*", "ce:GetCostAndUsage", "organizations:List*", "support:DescribeTrustedAdvisor*" ], "Resource": "*" } ] } ``` #### 3. Configure in DarcyIQ 1. Navigate to **Settings** → **Integrations** → **AWS API** 2. Enter your IAM Role ARN 3. Provide the External ID 4. Select AWS regions to query 5. Test the connection 6. Save configuration ### Multi-Account Setup Configure access to multiple AWS accounts: | Setup Type | Configuration | Use Case | | -------------------- | ---------------------------------- | ----------------------- | | **Single Role** | One role with cross-account access | AWS Organizations setup | | **Multiple Roles** | Separate role per account | Independent accounts | | **Delegated Access** | Organization-wide permissions | Enterprise deployment | ## Using AWS Integration ### Natural Language Queries Ask questions about your AWS environment naturally: #### Cost Queries * "What's our total AWS spend this month?" * "Show me the top 5 most expensive services" * "Compare this month's costs to last month" * "What's the daily average for EC2 costs?" * "Show cost breakdown by tags" #### Security Queries * "List all public S3 buckets" * "Show security groups with 0.0.0.0/0 access" * "Find IAM users without MFA" * "Which KMS keys are scheduled for deletion?" * "Show unencrypted RDS instances" #### Resource Queries * "How many EC2 instances are running?" * "List all Lambda functions in us-west-2" * "Show EBS volumes over 1TB" * "Find unused Elastic IPs" * "What's the total S3 storage usage?" #### Performance Queries * "Which RDS instances have high CPU?" * "Show Lambda functions with errors" * "List EC2 instances with low utilization" * "What's the CloudFront cache hit ratio?" * "Show ELBs with unhealthy targets" ### Query Results DarcyIQ presents AWS data in multiple formats: | Format | Use Case | Features | | ------------------- | ------------------------ | -------------------------- | | **Tables** | Resource lists | Sortable, filterable | | **Charts** | Cost trends | Interactive visualizations | | **Summaries** | Quick insights | Key metrics highlighted | | **Recommendations** | Optimization suggestions | Actionable advice | | **Exports** | Further analysis | CSV, JSON formats | ## Use Cases ### Cost Optimization | Scenario | Query Examples | Business Impact | | ---------------------- | --------------------------------------- | --------------------------- | | **Monthly Review** | "Show cost trends over 6 months" | Identify spending patterns | | **Service Analysis** | "Which service increased most in cost?" | Target optimization efforts | | **Unused Resources** | "Find resources with zero usage" | Immediate cost savings | | **Reserved Instances** | "Show RI utilization rates" | Maximize reservations | | **Tag Analysis** | "Costs by department tag" | Chargeback accuracy | ### Security Compliance | Scenario | Query Examples | Business Impact | | --------------------- | --------------------------------- | ---------------------- | | **Audit Preparation** | "List non-compliant resources" | Faster audit readiness | | **Access Review** | "Show overly permissive policies" | Reduce attack surface | | **Encryption Audit** | "Find unencrypted data stores" | Data protection | | **Key Management** | "List expiring certificates" | Prevent outages | | **Network Security** | "Review security group rules" | Network hardening | ### Capacity Planning | Scenario | Query Examples | Business Impact | | ---------------------- | ------------------------------- | -------------------------- | | **Growth Analysis** | "Show resource growth rate" | Accurate forecasting | | **Utilization Review** | "Find underutilized instances" | Right-sizing opportunities | | **Scaling Patterns** | "Peak usage times for services" | Optimize auto-scaling | | **Storage Planning** | "S3 growth projection" | Budget planning | | **Database Capacity** | "RDS storage trending full" | Prevent outages | ### Operational Excellence | Scenario | Query Examples | Business Impact | | ----------------------- | ---------------------------------- | -------------------------- | | **Health Check** | "Show all unhealthy resources" | Rapid issue identification | | **Backup Verification** | "List resources without backups" | Data protection | | **Update Status** | "Find outdated AMIs" | Security maintenance | | **Configuration Drift** | "Resources not matching standards" | Maintain consistency | | **Service Limits** | "Services approaching limits" | Prevent throttling | ## Trusted Advisor Integration Access AWS Trusted Advisor recommendations directly: | Check Category | Examples | Value | | --------------------- | ------------------------------ | -------------------- | | **Cost Optimization** | Idle resources, unused volumes | Reduce waste | | **Performance** | Provisioned IOPS usage | Improve efficiency | | **Security** | Security group rules, IAM use | Enhance security | | **Fault Tolerance** | Backup configuration, multi-AZ | Increase reliability | | **Service Limits** | Approaching limits | Prevent issues | ## Best Practices ### Query Optimization | Practice | Implementation | Benefit | | ------------------- | -------------------------- | -------------------- | | **Be Specific** | Include service and region | Faster results | | **Use Filters** | Add tag or date filters | Relevant data | | **Regular Queries** | Schedule recurring checks | Proactive management | | **Save Queries** | Create query library | Consistency | | **Combine Queries** | Ask multi-part questions | Comprehensive view | ### Security Best Practices 1. **Minimal Permissions**: Only grant read access to needed services 2. **Regular Audits**: Review IAM role permissions quarterly 3. **Rotate External ID**: Change External ID periodically 4. **Monitor Access**: Use CloudTrail to track API calls 5. **Remove Unused Roles**: Delete roles for terminated integrations ### Cost Management * **Daily Reviews**: Quick daily cost check queries * **Anomaly Detection**: Set up alerts for unusual spending * **Tag Everything**: Ensure resources are tagged for analysis * **Regular Optimization**: Weekly unused resource checks * **Forecast Regularly**: Monthly projection queries ## Limitations and Considerations | Limitation | Description | Workaround | | -------------------- | ------------------------------ | ----------------------------------- | | **API Rate Limits** | AWS API throttling | Cached results for repeated queries | | **Cross-Region** | Must query each region | Use "all regions" option | | **Real-Time Data** | Some metrics have delay | Understand data freshness | | **Service Coverage** | Not all AWS services supported | Request additional services | | **Query Complexity** | Complex queries may take time | Break into smaller queries | ## Coming Soon * **Automated Recommendations**: Proactive optimization suggestions * **Custom Dashboards**: Save and share AWS dashboards * **Alerting**: Notifications for AWS events and thresholds * **Cost Predictions**: AI-powered spend forecasting * **Remediation Actions**: One-click fixes for common issues * **Multi-Cloud Support**: Extend to Azure and GCP {% hint style="info" %} **Pro Tip**: Start with read-only access to a single account, then expand to multiple accounts once you're comfortable with the integration. Use tags extensively to enable powerful cost allocation queries. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.darcyiq.com/integrations-and-configuration/integration-overview/aws/aws-api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.