Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Configuring AWS


As one of the leading public cloud service providers, DivvyCloud includes extensive support for Amazon Web Services (AWS). You can add an AWS account to DivvyCloud using Instance Assume Role/ Secure Token Service Assume Role.

This page walks through: the supported services for AWS, details on configuring your AWS account for connection with DivvyCloud, our detailed policies, and instructions on how to set up the IAM policy. 

Once you have your AWS Cloud account properly configured you can move on to AWS - EC2 or ECS Fargate - CFT for deployment instructions or review our Product Architecture details.

As always, if you have questions — reach out to us at [email protected], or through any of the contact options shared on the Getting Support page.

Supported Services - AWS

DivvyCloud supports the following AWS services.

Access Analyzer
API Gateway
Certificate Manager
EMR (Elastics MapReduce)
Elastic Beanstalk
Managed Prefix List
Resource Group Tagging API
Route 53
Route53 Domains
Route53 Resolver
Secrets Manager
Systems Manager Parameter Store (Parameter)
Transit Gateway
Trusted Advisor
Virtual Private Gateway
VPC Traffic Mirror Targets

Opt-In Regions for AWS

DivvyCloud includes support for four AWS regions with a the "opt-in" classification. Bahrain me-south-1, Hong Kong ap-east-1, Cape Town af-south-1, and Milan eu-south-1 are all configured within AWS as “opt-in” regions and require active configuration to be enabled.

The screenshot below provides an example of how to enable the region in the AWS console.

Enabling Opt-In Regions

Once enabled, you will also need to update the STS token compatibility to allow DivvyCloud to communicate with these regions.


Session Tokens

These tokens need to be enabled in the AWS account where your DivvyCloud instance is deployed.

To do this, visit the AWS console here and modify the Global Endpoint option to allow larger session tokens to the global endpoint (https://sts.amazonaws.com).

Modifying Global Endpoints


Note About Opt-In Regions

Without the change noted above, DivvyCloud will be unable to retrieve information from these regions even if they are enabled.

For customers who prefer to keep these regions disabled, there are no changes required. Contact [email protected] with any questions or concerns.

Opt-In Region Changes

A full list of AWS Regions can be found here.

Prerequisite - IAM Policy

You will need to add an Identity and Access Management (IAM) Policy to your AWS accounts in order to provide DivvyCloud user-defined access to those accounts. We recommend using either a read-only policy (standard managed policy) or a power user policy.

  • The read-only policy will prevent DivvyCloud from taking actions against your AWS resources. If you would like to use DivvyCloud to manage your AWS resources directly or through the use of Bots, then use the power user policy.
  • If you are using AWS GovCloud, then you will want to use either the read-only or the power user policy specific to AWS GovCloud.


Policy Configuration

Finally, you will need an additional policy with your read-only or power user policy for Instance Assume Role or STS, both of which use STS. This applies to both AWS and AWS Gov Cloud.

Our recommended policies--or links to longer policies--are shown here:

AWS Standard & Power User Policies

For commercial (non-GovCloud) AWS accounts, there are three parts of the Standard User Policy (the permissions have exceeded AWS's limitation on policy size).

AWS Standard User (read-only) Policy - Option 1:
This option employs AWS' managed read-only policy. While this policy does not enumerate every permission, its benefit lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. DivvyCloud's operation requires one small additional policy be added, as shown here:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AwsReadOnlyMissingPermissions",
            "Action": [
            "Effect": "Allow",
            "Resource": "*"
            "Sid": "AwsReadOnlyDenyPermissions",
            "Action": [
            "Effect": "Deny",
            "Resource": "*"

AWS Standard User (read-only) Policy - Option 2:
This option enumerates every permission in the policy and must be manually updated with each new AWS service that DivvyCloud supports. New required permissions can be found in the product's release notes.

  • You must create three separate policies, one for each part. There is no significance to how the policy permissions are separated except ease of reading.

AWS Standard User (read-only) Policy - Part 1
AWS Standard User (read-only) Policy - Part 2
AWS Standard User (read-only) Policy - Part 3

AWS Power User Policy:
AWS Power User Policy

AWS GovCloud Standard & Power User Policy

AWS GovCloud Standard User (read-only) Policy
AWS GovCloud Power User Policy

AWS Instance Assume Role/STS

    "Version": "2012-10-17",
    "Statement": [
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"

Setting Up Your AWS IAM Policy

AWS Managed Standard User (read-only) with DivvyCloud Supplemental Policy

Note: To set up the fully-enumerated Standard User read-only policy, or any Power User or GovCloud policy, use the instructions under AWS Standard & Power User Policies.

  1. Login to the AWS console and access the Identity & Access Management (IAM) service. This service can be found on the Services main page under Security, then Identity & Compliance. You can also enter 'IAM' in the search bar.

  2. Enter "ReadOnlyAccess" in the search bar and scroll down to select this AWS managed policy.

  1. Under 'Policy Actions', enter 'Attach policy'.
  1. Create the Divvy Add-on for this policy: Return to the Main IAM screen, Select Policy, Select "Create Policy":
  1. Select JSON:
  1. Add the 'DivvyCloud Supplement to AWS ReadOnly Policy':
  • Copy and paste the 'DivvyCloud Supplement to AWS ReadOnly Policy' (above) into the Policy Document window.
  • Click "Review Policy".
  1. Review the Policy
  • Name your policy something meaningful to you, e.g., DivvyCloud-Supplement-for-Managed-ReadOnly-Policy. (Note, you cannot have spaces in the Policy Name.)
  • Add a policy description that makes it clear that the policy is Read-only.
  • Select 'Review Policy'
  • If everything looks OK, select 'Create Policy'
  1. Be sure to Add the Instance Assume Role/STS Policy, described below.

AWS Standard & Power User Policies


Standard User (read-only) Policy

If using the Standard User (read-only) Policy, you will need to create three separate policies to accommodate the three parts of the policy. Follow the steps below for each policy.

  1. Login to the AWS console and access the Identity & Access Management (IAM) service. This service can be found on the Services main page under Security, Identity & Compliance. You can also enter 'IAM' in the search bar.

  2. Select "Create policy".

Create Policy

  1. Select "JSON".

Select JSON

  1. Add Policy (Part 1 of 3)
  • Copy and paste your preferred policy in the Policy Document window.
  • Click "Review Policy".

Adding a Policy

  1. Review Policy (Part 2 of 3)
  • Name your policy something meaningful to you, e.g., DivvyCloud-PowerUser-Policy. (Note, you cannot have spaces in the Policy Name.)
  • Add a policy description that makes it clear whether the policy is Read-only or Power User.

Review Your Policy

  1. Create Policy (Part 3 of 3)
  • Click on "Create Policy".

Create Policy



Do you have to Attach the policy once it is created?
Do we need to call out the addition of the Instance Assume Role/STS Policy (below) more?
Should we spell out why the Divvy supplemental policy above is so important?

  1. If you are using the fully enumerated AWS Standard User (read-only) policy, you will need to repeat steps 1-6 above for both Part 2 and Part 3 of our read-only policy. (AWS Power User, AWS GovCloud Standard User, and AWS GovCloud Power User can be added in a single piece.)

Add the Instance Assume Role/STS Policy

After adding your preferred user policy, all users will also have to repeat steps 1-6 (from AWS Standard & Power User Policies) to add the Instance Assume Role/STS Policy.

After all of the policies referenced above have been added you will have all of the correct policies in place to use when installing an AWS account.

Additional AWS Configuration Options

Using Your Own SSL Cert with ELB

Customers interested in supplying their own certificate for ELB should refer to the following AWS documentation:

If you have questions about this configuration reach out to [email protected].

Updated 8 days ago

Other Helpful Pages

Once you added your policies, navigate to the correct section depending on how you want to add an AWS cloud account to DivvyCloud.

Instance Assume Role (AWS)
Secure Token Service Assume Role (AWS)
Event Driven Harvesting (AWS)
Supported Calls (AWS)

Configuring AWS

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.