Skip to main content

Overview

This guide walks you through setting up an IAM Role with CloudWatch access to enable the Antimetal integration.

Set up in Antimetal

Go to the CloudWatch integration setup in the Antimetal dashboard.

Prerequisites

  • An AWS account
  • A user account with permissions to create cross-account IAM Roles

Setup

1

Open the CloudWatch integration page in Antimetal

Navigate to Integrations > CloudWatch > Connect in the Antimetal dashboard, or use the link above. Antimetal generates a unique External ID for your organization automatically.
2

Deploy the CloudFormation stack

Click Deploy Stack in AWS. This opens the CloudFormation quick-create page with the External ID and Trusted Account ID pre-filled in the template parameters.
3

(Optional) Exclude specific log groups

To prevent Antimetal from accessing certain log groups, paste comma-separated log group ARNs in the ExcludedLogGroups field.You can find ARNs in CloudWatch Console > Log groups > [select group] > Copy ARN.
4

Acknowledge IAM resource creation

Scroll to the bottom and check the box confirming that the stack may create IAM resources.
5

Create the stack and copy the Role ARN

Click Create stack and wait until the status shows CREATE_COMPLETE. Then go to the Outputs tab and copy the Value next to AntimetalReadOnlyRole — this is the Role ARN you’ll paste into Antimetal.
6

Complete setup in Antimetal

Back in the Antimetal dashboard, paste the Role ARN, select your AWS region, and click Add. The External ID is pre-filled automatically.

Resources

Permissions and Access

Antimetal uses a read-only cross-account IAM Role provisioned via CloudFormation. No write operations are performed in your AWS environment.