The AWS integration uses an AWS IAM role that you define in your AWS IAM configuration to take actions in Torq as an approved user for the assets and APIs provided by the Amazon Web Services platform. AWS integrations are used for AWS and AWS S3 steps in Torq workflows.
Get IDs in Torq
To create an IAM role in AWS, you'll need the Torq Account ID and the AWS External ID, which you'll copy from the AWS integration card in Torq. At this point, you're only copying those IDs; you're not creating the AWS integration in Torq.
Go to the Integrations page and locate the AWS card.
Click Add.
Copy the Torq Account ID. You'll need this when you create the IAM role in AWS.
Copy the AWS External ID. You'll need this when you create the IAM role in AWS.
Create an IAM Role in AWS
There are two ways to create an IAM role in AWS, manually (following the steps below) or using a CloudFormation Template (CFT).
Sign in to the AWS Management Console and access IAM.
Select Roles > Create role.
Define the new role.
Click Next: Permissions.
Create a policy (set of AWS permissions) to assign to the user, group, or role that can use AWS services in Torq steps. You'll get an error if you don't assign sufficient permissions required to run a specific step.
Click Next: Tags.
Enter tags as needed and click Next: Review.
Enter a meaningful name for the policy and click Create policy.
The name must be unique in your AWS account.
Policy names are case-insensitive.
Policy names can't be changed after the policy is created.
Go back to the previous tab for the Create role page and click the console's refresh button.
Filter by the policy name you created, select the checkbox next to the policy and click Next: Review.
On the Create Role - Review page, enter a role name.
Review the role details and click Create role.
After you're redirected to the IAM > Roles console, enter the name of the role you created and then select the role.
Copy the Role ARN. You'll need this when you create the AWS integration in Torq.
Create an IAM Role in AWS Using a CFT
The role name is required to create an AWS integration in Torq. The CloudFormation Template contains all necessary configurations. During this process, you'll have two browser tabs open, one for Torq and one for AWS.
Log in to your AWS account.
Go to CloudFormation > Stacks and create a new stack.
In the Prerequisite - Prepare template section, select the Template is ready checkbox.
In the Specify template section, select the Upload a template file checkbox.
Click Next.
Enter a meaningful name for the stack.
In a new browser tab, log in to Torq.
Go to Build > Integrations > AWS, and click Add. Keep this tab open. You'll copy and paste between the two.
Copy the Torq Workspace ID and paste it into the TorqWorkspaceID field in AWS.
Copy the AWS External ID and paste it into the AWSExternalID field in AWS.
In AWS, for the Permission Type field, select EC2
Click Next until you reach the final page.
Select the acknowledgment checkbox in the Capabilities section (shaded blue) and click Submit.
Filter the stacks table by the status In progress. You should be able to see stack creation status.
Refresh the Events table until the stack's status is CREATE_COMPLETE.
Go to the Outputs tab and copy the RoleArn value. It will follow this pattern: arn:aws:iam:::role/.
In Torq, paste the RoleArn value in the AWS Role Name field and click Add
Create an AWS Integration in Torq
Go to Build > Integrations > Steps > AWS, and click Add.
Enter a meaningful name for the integration so you can identify it when calling it in a workflow.
Enter the AWS Role ARN that you copied in the previous step. It should look like this:
arn:aws:iam::123456789012:role/service-role/PerformMitigationOperations