Skip to main content

Overview

This guide walks you through setting up an IAM Role with CloudWatch access to enable the Antimetal integration.

Set up in Antimetal

Go to the CloudWatch integration setup in the Antimetal dashboard.

Prerequisites

  • An AWS account
  • A user account with permissions to create cross-account IAM Roles

Setup

1

Open the CloudFormation quick create link

Navigate to the following link in your AWS account: Launch Antimetal CloudFormation Stack
2

Provide the External ID

Enter the External ID shown in the Antimetal UI (or provided by the Antimetal team).
3

(Optional) Exclude specific log groups

To prevent Antimetal from accessing certain log groups, paste comma-separated log group ARNs in the ExcludedLogGroups field.You can find ARNs in CloudWatch Console > Log groups > [select group] > Copy ARN.
4

Acknowledge IAM resource creation

Scroll to the bottom and check the box confirming that the stack may create IAM resources.
5

Create the stack

Click Create stack and wait until the status shows CREATE_COMPLETE.
6

Find the IAM Role

In the stack’s outputs, click on AntimetalReadOnlyRole. This will open the role in the IAM console.
7

Copy the Role ARN

On the IAM Role page, copy the Role ARN.
8

Share the Role ARN with Antimetal

Paste the Role ARN into the Antimetal UI where requested.

Resources

Permissions and Access

Antimetal uses a read-only cross-account IAM Role provisioned via CloudFormation. No write operations are performed in your AWS environment.