Note on third‑party tools
We aim to provide accurate and helpful details about third‑party tools, but we can’t guarantee that this information is always complete or up to date. For the most reliable information, please always refer to the third‑party tool’s official documentation.
Before scanning your AWS cloud environment with Lansweeper Cloud Discovery, you need to integrate your Amazon Web Services (AWS) accounts with Lansweeper’s identity provider using Workload Identity Federation.
This setup allows Lansweeper to authenticate securely with AWS using OpenID Connect (OIDC) tokens—without storing or managing long-term credentials.
Understand the AWS scanning model
To scan resources across multiple AWS accounts, Lansweeper uses a two-level account structure:
Main account
Lists all linked AWS accounts using AWS Organizations.
Assumes roles in target accounts to read resources.
Target accounts
Contain a role that grants Lansweeper permissions to read cloud resources.
Create an OIDC identity provider
Create an OpenID Connect provider in your main AWS account to enable Lansweeper Discovery to authenticate.
Follow AWS’s documentation to Create an OpenID Connect (OIDC) identity provider in IAM.
Complete the fields as follows:
Provider URL:
https://login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067(no trailing space or /)Audience:
866d6f4d-c8fa-4342-9f6a-377932892ee0
Finish creating the provider.
Main account – Create the accounts listing policy
The accounts listing policy allows your Lansweeper Site to list organization accounts and assume roles in target accounts.
Follow AWS’s documentation to Define custom IAM permissions with customer managed policies.
In the IAM console, create a new policy.
Paste the following JSON and replace
<your site ID>with your site’s ID. To find your site ID, go to Configuration > Site settings in your Lansweeper Site.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:List*", "organizations:Describe*", "sts:GetCallerIdentity", "iam:GetRole", "sts:TagSession", "sts:AssumeRole" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalTag/siteId": [ "<your site ID>" ] } } } ] }If you plan to use the same role across multiple Lansweeper Sites, add all Site IDs in an array:
"StringEquals": { "aws:PrincipalTag/siteId": ["site ID #1", "site ID #2"] }
Main account – Create the main role and trust entity
Create a new IAM role that uses the OIDC identity provider and the listing policy.
In IAM > Roles, select Create role.
Under Trusted entity type, select Web identity.
For Identity provider, enter:
https://login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067For Audience, enter:
866d6f4d-c8fa-4342-9f6a-377932892ee0Attach the custom accounts listing policy created earlier.
Name the role, e.g.
LSMainAccountRole.After creation, select the role and open the Trust relationships tab.
Choose Edit trust policy and ensure the following JSON is in place:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account number>:oidc-provider/login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067:aud": "866d6f4d-c8fa-4342-9f6a-377932892ee0" } } } ] }Save the trust policy.
Copy the Role ARN and keep it for later configuration in Lansweeper.
Main and target accounts – Create the reading policy
This policy defines the permissions used by Lansweeper to read AWS asset information.
Apply it to the main and all target accounts.
In IAM > Policies, create a new policy.
Add the following JSON:
JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:DescribeOrganization", "sts:GetCallerIdentity", "iam:GetRole", "resource-groups:Get*", "resource-groups:List*", "resource-groups:Search*", "ssm:Describe*", "ssm:Get*", "ssm:List*", "codepipeline:Get*", "codepipeline:List*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "appfabric:Get*", "appfabric:List*", "dms:Describe*", "dms:List*", "ds:Describe*", "ds:Get*", "ds:List*", "route53-recovery-readiness:Get*", "route53-recovery-readiness:List*", "iam:Get*", "iam:List*", "autoscaling:Describe*", "autoscaling:Get*", "securityhub:Describe*", "securityhub:Get*", "securityhub:List*", "network-firewall:Describe*", "network-firewall:List*", "sqs:Get*", "sqs:List*", "launchwizard:Describe*", "launchwizard:Get*", "launchwizard:List*", "compute-optimizer:Describe*", "compute-optimizer:Get*", "dlm:Get*", "savingsplans:Describe*", "savingsplans:List*", "sagemaker-groundtruth-synthetic:Get*", "sagemaker-groundtruth-synthetic:List*", "emr-serverless:Get*", "emr-serverless:List*", "route53domains:Get*", "route53domains:List*", "ses:Describe*", "ses:Get*", "ses:List*", "codeartifact:Describe*", "codeartifact:Get*", "codeartifact:List*", "networkmanager:Describe*", "networkmanager:Get*", "networkmanager:List*", "athena:Get*", "athena:List*", "iot:Describe*", "iot:Get*", "iot:List*", "appsync:Get*", "appsync:List*", "ce:Describe*", "ce:Get*", "ce:List*", "cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "kinesis:Describe*", "kinesis:Get*", "kinesis:List*", "iotwireless:Get*", "iotwireless:List*", "sdb:Get*", "sdb:List*", "application-autoscaling:Describe*", "application-autoscaling:List*", "glacier:Describe*", "glacier:Get*", "glacier:List*", "lambda:Get*", "lambda:List*", "s3:Describe*", "s3:Get*", "s3:List*", "trustedadvisor:Describe*", "apprunner:Describe*", "apprunner:List*", "iotevents:Describe*", "iotevents:List*", "sagemaker:Describe*", "sagemaker:Get*", "sagemaker:List*", "sagemaker:Search*", "clouddirectory:Get*", "clouddirectory:List*", "iotroborunner:Get*", "iotroborunner:List*", "account:Get*", "account:List*", "rds:Describe*", "rds:List*", "serverlessrepo:Get*", "serverlessrepo:List*", "serverlessrepo:Search*", "lakeformation:Describe*", "lakeformation:Get*", "lakeformation:List*", "lakeformation:Search*", "appstream:Describe*", "appstream:List*", "glue:Get*", "glue:List*", "glue:Search*", "elastic-inference:Describe*", "elastic-inference:List*", "logs:Describe*", "logs:Get*", "logs:List*", "iotanalytics:Describe*", "iotanalytics:Get*", "iotanalytics:List*", "ecr:Describe*", "ecr:Get*", "ecr:List*", "kafka:Describe*", "kafka:Get*", "kafka:List*", "scheduler:Get*", "scheduler:List*", "codedeploy:Get*", "codedeploy:List*", "servicediscovery:Get*", "servicediscovery:List*", "kms:Describe*", "kms:Get*", "kms:List*", "ecr-public:Describe*", "ecr-public:Get*", "ecr-public:List*", "workspaces-web:Get*", "workspaces-web:List*", "elasticfilesystem:Describe*", "elasticfilesystem:List*", "route53-recovery-control-config:Describe*", "route53-recovery-control-config:Get*", "route53-recovery-control-config:List*", "batch:Describe*", "batch:List*", "events:Describe*", "events:List*", "waf-regional:Get*", "waf-regional:List*", "workspaces:Describe*", "redshift:Describe*", "redshift:Get*", "organizations:Describe*", "organizations:List*", "emr-containers:Describe*", "emr-containers:List*", "kafkaconnect:Describe*", "kafkaconnect:List*", "datapipeline:Describe*", "datapipeline:Get*", "datapipeline:List*", "dynamodb:Describe*", "dynamodb:Get*", "dynamodb:List*", "sts:Get*", "lightsail:Get*", "s3-object-lambda:Get*", "s3-object-lambda:List*", "cloudfront-keyvaluestore:Describe*", "cloudfront-keyvaluestore:Get*", "cloudfront-keyvaluestore:List*", "firehose:Describe*", "firehose:List*", "codebuild:Describe*", "codebuild:List*", "notifications:Get*", "notifications:List*", "cloudfront:Describe*", "cloudfront:Get*", "cloudfront:List*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "autoscaling-plans:Describe*", "autoscaling-plans:Get*", "backup:Describe*", "backup:Get*", "backup:List*", "kinesisvideo:Describe*", "kinesisvideo:Get*", "kinesisvideo:List*", "eks:Describe*", "eks:List*", "pipes:Describe*", "pipes:List*", "ec2messages:Get*", "mq:Describe*", "mq:List*", "identitystore-auth:List*", "tag:Describe*", "tag:Get*", "config:Describe*", "config:Get*", "config:List*", "es:Describe*", "es:Get*", "lookoutvision:List*", "sns:Get*", "sns:List*", "cloudsearch:Describe*", "cloudsearch:List*", "secretsmanager:Describe*", "secretsmanager:List*", "notifications-contacts:Get*", "notifications-contacts:List*", "elasticloadbalancing:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "elasticmapreduce:Describe*", "elasticmapreduce:Get*", "elasticmapreduce:List*", "waf:Get*", "waf:List*", "elasticache:Describe*", "elasticache:List*", "route53-recovery-cluster:Get*", "route53-recovery-cluster:List*", "swf:Describe*", "swf:Get*", "swf:List*", "ec2:Describe*", "ec2:Get*", "ec2:List*", "ec2:Search*", "transfer:Describe*", "transfer:List*", "iot1click:Describe*", "iot1click:Get*", "iot1click:List*", "wafv2:Describe*", "wafv2:Get*", "wafv2:List*", "ecs:Describe*", "ecs:List*", "kinesisanalytics:Describe*", "kinesisanalytics:Get*", "kinesisanalytics:List*", "route53:Get*", "route53:List*", "route53resolver:Get*", "route53resolver:List*" ], "Resource": "*" } ] }Save the policy with a consistent name, e.g.
LSReadResourcesPolicy.
Main and target accounts – Create the reading role and trust entity
This role lets your Lansweeper Site enumerate resources in each AWS account.
In each AWS account, go to IAM > Roles > Create role.
Choose Custom trust policy.
Add the following trust relationship, replacing
<main account number>and role names accordingly:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:sts::<main account number>:assumed-role/LSMainAccountRole/web-identity" ] }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] }Attach the
LSReadResourcesPolicy.Name the role LSReadingRole.
Use the same name for this role across all accounts.
Next steps
Now that you have prepared your AWS environment, you can create a Cloud Discovery action to connect with Lansweeper Sites.