# Connect AWS account

{% hint style="warning" %}
If you do not have access to configure IAM or run CloudFormation stacks within your organization, we recommend **raising a ticket with your security team.**
{% endhint %}

**Summary:** Sedai securely connects to your cloud account and discovers supported cloud resources and automatically imports relevant CloudWatch metrics. **The integration does not impact your privacy policies or include access to logs.** We provide a CloudFormation stack to easily create an IAM Role and attach Sedai's policies to it, so that you will only need to provide Sedai with the Role ARN. These steps need to be repeated for each AWS account you want to connect to Sedai. In this page:

* [IAM Policy Statements for Sedai](#iam-policy-statements-for-sedai)
* [How to set up IAM via Onboarding Wizard](#setup-iam-via-onboarding-wizard)
* [How to set up IAM manually](#set-up-iam-manually)
* [How to update Sedai's CloudFormaton Stack](#update-cloudformation-stack)

To experience the full value of Sedai, we recommend providing read-write access and managing permissions/reinforcement learning within the platform via the Crawl-Walk-Run modes: Datapilot, Copilot, and Autopilot. **It's important to note that Sedai will not make any changes to your resources unless you update the mode setting.** Learn more about Sedai's [operation modes](/get-started/onboarding/readme/understanding-operation-modes.md), [permissions](#iam-policy-statements-for-sedai) and [what to expect](/get-started/onboarding/readme/what-to-expect.md) when you integrate your resources.

<figure><img src="/files/j2MQHxZyTgkeWzUPyu27" alt=""><figcaption></figcaption></figure>

***

## **IAM Policy Statements for Sedai**

{% hint style="info" %}
Keep in mind that all integrated resources (irrespective of the policy used) will automatically run in Datapilot mode, which only analyzes monitoring data and **does not make changes to your cloud resources.** You can configure how Sedai manages your resources from the Settings > Resources page ([learn more](/get-started/platform/settings/features.md)).
{% endhint %}

Sedai's IAM policy provides visibility to your infrastructure and the option to allow it to autonomously modify resource configurations. The following summarizes services Sedai supports and how permission is used:

<table><thead><tr><th width="190">AWS Service</th><th>Purpose</th></tr></thead><tbody><tr><td><p>ECS</p><p>Fargate</p><p>Lambda</p><p>EC2<br>S3<br>ELB</p><p>RDS<br>Autoscaling</p></td><td>Discovers resources so that the system can create ML models and use reinforcement learning to reduce cost, improve performance, and prevent availability issues.<br><br><strong>Note:</strong> Sedai will only act if feature settings are set to Copilot or Autopilot mode and if the operation passes rigorous safety checks. </td></tr><tr><td>CloudWatch</td><td>(Read-only) Pulls monitoring data for continuous seasonality and performance analysis. By default, Sedai automatically imports relevant metrics to analyze resource behavior. You can additionally <a href="/pages/XJeYS5uWny1w5lOs59Oy">connect monitoring data</a> from other APM and observability providers.</td></tr><tr><td>X-Ray<br>ELB<br>Kinesis<br>DynamoDB<br>Logs<br>App Mesh</td><td>(Read-only) Informs discovery process to help Sedai understand topology infrastructure.</td></tr></tbody></table>

{% tabs %}
{% tab title="Read-write Policies (Copilot / Autopilot)" %}
Use these policies if you want to enable autonomous management within your AWS account. These policies include read-write access to the respective cloud resource type, which allows Sedai to make changes on your behalf (if set to [Copilot or Autopilot mode](/get-started/onboarding/readme/understanding-operation-modes.md)), as well as enable Sedai's ML models.

* [Common](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-common-rw.json) (includes read-only access to CloudWatch)
* [Elastic Block Stage (EBS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-storageebs-rw.json)
* [Elastic Compute Cloud (EC2)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-ec2instance-rw.json)
* [Elastic Container Service (ECS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-ecs-rw.json)
* [Elastic Kubernetes Service (EKS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-kubernetes-rw.json)
* [Lambda](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-lambda-rw.json)
* [Relational Database Service (RDS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-rds-rw.json)
* [Simple Storage Service (S3)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-storages3-rw.json)

{% hint style="info" %}
Even if you're not ready to run autonomous, we still recommend integrating your account with read-write permissions. You can set Sedai's features to run in [Datapilot mode](/get-started/onboarding/readme/understanding-operation-modes.md), which will only generate recommendations for you to review.&#x20;
{% endhint %}
{% endtab %}

{% tab title="Read-only Policies (Datapilot)" %}
Select these policies if you only want to explore Sedai and get familiar with the type of information it presents. Keep in mind that the system will not be able to use reinforcement learning, so predicted savings are typically less significant.

Use these policies if you want to explore Sedai’s capabilities and prohibit autonomous management. This allows Sedai to analyze monitoring data and predict low-confidence opportunties. The system will only be able to function in Datapilot mode, and will not be able to execute operations in Copilot or Autopilot mode.

**Note:** These policies do not support Sedai's ML models. If you are not ready to fully explore an autonomous system, you can start with read-only access and update the policy permissions later. Contact our team at **<support@sedai.io>** for help.

* [Common](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-common-r.json) (includes read-only access to CloudWatch)
* [Elastic Block Stage (EBS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-storageebs-r.json)
* [Elastic Compute Cloud (EC2)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-ec2instance-r.json)
* [Elastic Container Service (ECS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-ecs-r.json)
* [Elastic Kubernetes Service (EKS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-kubernetes-r.json)
* [Lambda](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-lambda-r.json)
* [Relational Database Service (RDS)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-rds-r.json)
* [Simple Storage Service (S3)](https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-include-storages3-r.json)
  {% endtab %}
  {% endtabs %}

{% hint style="info" %}
**Sedai individually connects to Kubernetes clusters, so EKS clusters are displayed independent of their corresponding AWS account.**

To connect to EKS, we recommend deploying Sedai's [Smart Agent](/get-started/onboarding/autonomous-cloud-management/connect-kubernetes-cluster/sedai-smart-agent.md) within the cluster; however, you can alternatively [set up agentless access](/get-started/onboarding/autonomous-cloud-management/connect-kubernetes-cluster/eks-agentless-setup.md) via IAM authentication and Kubernetes Role Based Access Control (RBAC).
{% endhint %}

***

## Set up IAM via Onboarding Wizard <a href="#setup-iam-via-onboarding-wizard" id="setup-iam-via-onboarding-wizard"></a>

{% hint style="info" %}
This approach uses a [CloudFormation Stack](https://aws.amazon.com/cloudformation/resources/templates/) that by default provides read-write access. From Sedai's interface you will be able to select which resources you want Sedai to import and manage.
{% endhint %}

1. Navigate to your Sedai account (<https://yourcompany.sedai.app>). If you have not yet integrated cloud resources, by default you should see the integration wizard; otherwise, navigate to Settings > Integrations and click **Connect Cloud.**
2. Choose the AWS products within your account that you want to integrate to Sedai. Based on your selection, Sedai will generate your custom policy. By default, this policy includes read-write access. If you want to use read-only access, you will need to [manually configure IAM](#set-up-iam-manually).
3. Click to execute the CloudFormation stack. This will open your AWS console (ensure you are logged in to the correct AWS account). Once completed, navigate to the Outputs tab to copy the Role ARN and go back to Sedai to enter it. Sedai will generate an External ID based on the provided ARN.

***

## Set up IAM manually

#### Create IAM Policy

From the AWS Console, navigate to **Policies** under Identity and Access Management. Select **Create Policy.** Copy your preferred [Sedai policy](#iam-policy-statements-for-sedai) and paste it into the JSON policy editor. View [AWS documentation ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)to learn more.

#### Create IAM Role (Recommended)

{% tabs %}
{% tab title="From Sedai" %}

1. Go to Settings > Integrations and select **Connect Cloud**.
2. Select AWS as your cloud provider & select your resource types and the cloud products you'd like Sedai to manage.
3. After giving you cloud a nickname, click the button the **Launch CloudFormation** (Make sure you're logged in to the AWS account you wish to integrate with Sedai)
4. On the screen that will open in the CloudFormation console, leave the selections as is and click **Next**.
5. In the Specify stack details page, enter the stack name.
6. In the Sedai app configuration section, leave the custom external ID field empty (unless a custom external ID was provided previously).
7. In the Permission section, select which cloud products you'd like Sedai to manage (please ensure this matches the selections you previously made within Sedai when connecting your account)
8. Click **Next**, then scroll down and click **Next** again.
9. In the Review and create page, check the capabilities and click **Submit**
   {% endtab %}

{% tab title="With Template URL" %}

1. Make sure you're logged in to the AWS account you'd like to integrate with Sedai.
2. Go to the CloudFormation console
3. Click **Create Stack** and select **With new resources (standard)**
4. Under Prepare template, select **Template is ready**
5. Under Specify template, select **Amazon S3 URL**. Provide the following link then click **Next**:

```
https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-main.yml
```

6. In the Specify stack details page, enter the stack name.
7. In the Sedai app configuration section, leave the custom external ID field empty (unless a custom external ID was provided previously).
8. In the Permission section, select which cloud products you'd like Sedai to manage (please ensure this matches the selections you previously made within Sedai when connecting your account)
9. Click **Next**, then scroll down and click **Next** again.
10. In the Review and create page, check the capabilities and click **Submit**.
    {% endtab %}

{% tab title="Within AWS Console" %}

1. Navigate to Identity and Access Management (IAM) within your AWS Console.
2. Create Sedai's[ IAM policy.](#iam-policy-statements-for-sedai)
3. Select Role > [Create Role](https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fus-east-1.console.aws.amazon.com%2Fiamv2%2Fhome%3Fregion%3Dus-east-1%26state%3DhashArgs%2523%252Froles%252Fcreate%253Fstep%253DselectEntities%26isauthcode%3Dtrue\&client_id=arn%3Aaws%3Aiam%3A%3A015428540659%3Auser%2Fiamv2\&forceMobileApp=0\&code_challenge=YM40daes55JFhu1BepaTpiusa5OUh89bxbtZCw_d_ng\&code_challenge_method=SHA-256).
4. Under **Trusted entity type**, select **AWS account** and then choose **Another AWS account**. Enter Sedai's unique Account ID (this will be displayed within the platform when you add a new cloud from the Integrations page and opt to manually set up IAM authentication with an IAM Role). Optionally, add the External Id, which is also displayed along with the Account Id in the previous page. Skip the additional options and select **Next**.
5. Select the policy created in Step 2.
6. Enter a **Role name** and **Description**, and select **Create** to complete setup.
7. Copy the **ARN**. This will be used to add your connect your resources to Sedai from the **Integrations** page.
   {% endtab %}

{% tab title="Within AWS CLI" %}

1. Download your preferred Sedai [policy](#iam-policy-statements-for-sedai).
2. Create IAM policy:

```
aws --profile AWS_PROFILE iam create-policy --policy-name SedaiAWSIntegrationIamPolicy --policy-document file://sedai-policy.json
```

3. Create IAM Role and attach policy:

```
curl -o assume-role-policy.json https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/aws/sedai-assume-role-policy-document.json
aws --profile AWS_PROFILE iam create-role --role-name SedaiAWSIntegrationRole --assume-role-policy-document file://assume-role-policy.json
aws --profile AWS_PROFILE iam attach-role-policy --role-name SedaiAWSIntegrationRole --policy-arn "arn:aws:iam::737058061372:policy/SedaiAWSIntegrationIamPolicy"
```

4. Copy the **ARN**. This will be used to add your connect your resources to Sedai from the **Integrations** page.
   {% endtab %}

{% tab title="Manually" %}
If you are restricted from using CloudFormation, you can create an IAM role with S3 URLs for either the read-write policies or read-only [policies](#iam-policy-statements-for-sedai).
{% endtab %}
{% endtabs %}

{% hint style="info" %}
If you plan to connect multiple EKS clusters from the same environment to Sedai, you will only need to create one IAM Role. The same ARN can be used to connect each cluster to Sedai.
{% endhint %}

#### Create IAM User

{% hint style="warning" %}
If your organization follows a scheduled key rotation, you will need to reconnect to Sedai each time. We recommend connecting your AWS cloud with an IAM Role instead to ensure uninterrupted access.
{% endhint %}

1. Navigate to Identity and Access Management (IAM) within your AWS Console.
2. Create Sedai's[ IAM policy](#iam-policy-statements-for-sedai).
3. Select Role > [Create User](https://console.aws.amazon.com/iamv2/home#/users)
4. Select **Add Users** and enter an easy to identify **User name**.
5. Under AWS credential type, select **Access key - Programmatic access.** Select **Next: Permissions.**
6. Under Set Permissions, select **Attach existing policies directly** and select the policy you created in Step 2.
7. You can optionally add Tags in the next step. Otherwise proceed to **Review** and **Create User** to finish setup.
8. You can optionally view or download the created User's security credentials. You will need the Access and Secret Key to connect your resources to Sedai.

***

## Update CloudFormation Stack

You can update a CloudFormation stack to change Sedai's permissions. If read-only access is disabled, you can then manage which cloud products Sedai has permission to optimize, as long as optimization is enabled in [Settings > Resources](/get-started/platform/settings.md) within Sedai.

{% hint style="info" %}
To update Sedai's cloud product permissions, adjust permissions both within Sedai and the AWS console. Within the AWS console, follow the steps below. Within Sedai, go to Settings > Integrations, select the cloud account, and click **Edit** under Managed Cloud Products.
{% endhint %}

When updating a CloudFormation stack, change sets allow you to preview planned changes before applying them, ensuring no unintended consequences. To do this, follow this process:

1. Access the CloudFormation console within the AWS Management Console.
2. Select the desired stack from the list and select the **Change Sets** tab.
3. Click **Create change set** then name the change set.
4. On the page to specify the template, choose **Use existing template** and click **Next**.&#x20;
5. Update the Permission sections to reflect which cloud products you'd like Sedai to manage.
6. Click **Next**, then scroll down and click **Next** again.
7. In the Review and create page, check the capabilities and click **Submit**.
8. Review the planned changes then click **Execute change set**.
9. On the **Execute change set?** pop up, review the planned changes and specify your preferred options (We recommend using the pre-selected options).
10. Click **Execute change set** to enact the changes.

After updating a CloudFormation stack, we recommend monitoring the deployment.

When you create or update a CloudFormation stack, you can track the update's progress ensure to it's functioning properly. Within the CloudFormation console, the **Events** tab displays the status of each resource during the update process. Refresh this tab to ensure it shows the `CREATE_COMPLETE` or `UPDATE_COMPLETE` status. If the deployment has failed, try re-deploying it.

***

## Resources

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html>" %}

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html>" %}

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sedai.io/get-started/onboarding/autonomous-cloud-management/connect-aws-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.