AWS Provider Setup#


Note: AWS CLI supports Single Sign-On via IAM Identity Center. You can use the aws sso login command to authenticate before running provider setup.


The Censys Cloud Connector provider setup will ask a series of questions that have opt-in defaults.

  • Select a credential profile allows you to choose which named profile to use during provider setup.

    • You can optionally save the profile’s credentials to providers.yml

  • Define a role name to use STS Assume Role. This enables running the connector without defining an access or secret key.

    • When using a role, AWS recommends using a Session Role Name. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user.

  • If your organization has multiple accounts, provider setup will give an option to find and load these accounts into providers.yml. The find accounts feature has two ways to look up accounts:

    • Find accounts with a CloudFormation StackSet Instance

    • Find accounts using Organization List Accounts

Permissions Overview#

The permissions used are dependant on options chosen during setup.






Used to find the primary account number



Allows finding accounts within an organization



Allows finding accounts using a specific StackSet instance

Find Accounts Feature#

Add assets from all of your AWS accounts for the most up-to-date view of your cloud attack surface.

Find Accounts by Organizations#

Provider setup will use the Organizations List Accounts feature to find a list of accounts. You will then have the option to choose which accounts are saved into providers.yml.

Find Accounts by StackSet#

Censys provides a CloudFormation StackSet template available to create the CensysCloudConnectorRole. It also serves as a way to list your organization’s account numbers with the CloudFormation Stack Instance API.

Account Specific Roles#

If you are utilizing multiple accounts in providers.yml, it’s possible to configure roles that are unique to each account.

- provider: aws
  account_number: 111 # <- primary account
  role_name: SharedRole
  - account_number: 222
  - account_number: 333
    role_name: Role333
  - account_number: 444
    role_name: Role444

In this example, account 222 will inherit the role SharedRole. Account 333 will overwrite the parent role with Role333.

Configure Cloud Connector IAM#

The Censys Cloud Connector has a set of minimum required permissions. These permissions can be applied through standard IAM configuration. As a security best-practice, the connector also supports creation of temporary credentials via Secure Token Service (STS).

Censys also maintains a CloudFormation StackSet template that will deploy a CensysCloudConnectorRole role to all of your AWS accounts. The StackSet can also be used to list all of your accounts.

StackSet Deployment#

See StackSet Deployment for a walk-through of how to install the Censys Cloud Connector StackSet in your account.

Asset Deny List#

In certain situations it is desirable not to have assets sent to Censys. This can be accomplished by utilizing the cloud provider’s tagging feature. At this time, only AWS ENI and EC2 tags are supported.


  • AWS supports ignore_tags at the provider and account levels in providers.yml.

  • Tags named censys-cloud-connector-ignore are ignored.