AWS
Connect your AWS accounts to enable CloudThinker agents to analyze costs, optimize resources, audit security, and manage infrastructure.Setup Methods
CloudThinker supports two authentication methods. Role-Based authentication is strongly recommended.- Role-Based (Recommended)
- Access Keys (Alternative)
IAM Role with AssumeRole
This method creates an IAM role that CloudThinker assumes to access your resources. Benefits:- No long-term credentials shared or stored
- Uses AWS STS for temporary, auto-rotated credentials
- External ID protects against confused deputy attacks
- Easy to audit and revoke access
Quick Setup via CloudShell
1
Open AWS CloudShell
Log in to AWS Console and open CloudShell from the top nav
2
Run Setup Script
In CloudThinker’s connection dialog, click Copy Script and paste into CloudShell. The script will:
- Validate
CloudThinkerAccessRoledoesn’t exist - Create the IAM role with read-only permissions
- Attach trust policy with your External ID
3
Copy Role ARN
Copy the Role ARN from output:
4
Complete Connection
Paste Role ARN into CloudThinker and select your region
Expected Output
Manual Role Creation
If you prefer manual setup:Trust Policy:Required Permissions
Minimum (Read-Only Analysis)
Recommended (Full Analysis)
Agent Capabilities
Once connected, agents can:| Agent | AWS Capabilities |
|---|---|
| Alex | Cost analysis, EC2 right-sizing, Reserved Instance recommendations, resource optimization |
| Oliver | Security Hub findings, IAM audits, compliance checks, vulnerability assessment |
| Tony | RDS performance analysis, Aurora optimization, DynamoDB tuning |
| Kai | EKS cluster management, Fargate optimization, container analysis |
Multi-Account Setup
For organizations with multiple AWS accounts:1
Create Role in Each Account
Deploy the IAM role using CloudFormation StackSets
2
Use AWS Organizations
Connect management account for organization-wide visibility
3
Add Each Account
Add account connections individually in CloudThinker
Multi-Account Guide
Detailed guide for managing multiple AWS accounts
Troubleshooting
Access Denied errors
Access Denied errors
- Verify IAM role has required permissions
- Check trust policy includes CloudThinker’s account
- Confirm External ID matches exactly
- Ensure role ARN is correct
Missing cost data
Missing cost data
- Enable Cost Explorer in AWS Console (takes 24h to activate)
- Verify
ce:GetCost*permissions are granted - Check billing preferences allow programmatic access
Missing metrics
Missing metrics
- Verify CloudWatch metrics are being collected
- Check region selection includes all relevant regions
- Confirm services are running and generating data
Connection timeout
Connection timeout
- Check network connectivity to AWS APIs
- Verify no VPC endpoints blocking access
- Try connecting from a different region
Security Best Practices
- Use Role-Based auth - Avoid long-term access keys
- Minimal permissions - Grant only what’s needed
- Enable CloudTrail - Audit all API calls
- Regular review - Audit permissions quarterly
- External ID - Always use for cross-account roles