Overview & Objectives

Purpose:

This document describes how to onboard a single AWS account into ARMO Platform. After onboarding, ARMO will have visibility into the account’s resources, enable governance / compliance policies, monitor for risks, detect anomalies, etc.

Prerequisites

High-Level Flow

1. In the ARMO platform: initiate “Add AWS Account” flow (not Organization).
2. In the AWS account: create an IAM role (e.g. Armoreadonlyrole) with the correct trust policy and permissions.
3. In ARMO: enter the role ARN, and configure settings.
4. Let ARMO assume the role to ingest data (assets, compliance, alerts).
5. Verify data ingestion, alerts, and resource visibility.

Detailed Step-by-Step Onboarding

Step 1: Initiate Onboarding in ARMO Platform

1. Log in to the ARMO Platform and navigate to Settings → Accounts → AWS
2. Click the Amazon Web Services card → Click Single Account → Click Next
3. Choose an AWS Region to launch your stack, and click Launch Stack

Step 2: Create the IAM Role in the AWS Account

In the target AWS account (the one being onboarded):

1. Scroll to the bottom and Mark the «I acknowledge that AWS CloudFormation might create IAM resources with custom names»
2. Click “Create stack”
3. Navigate to the Outputs tabs (The RoleARN may take up to a minute to appear)
4. Copy the RoleARN value

3. 

Step 3: Configure the Role in ARMO Platform

1. Return to the ARMO platform where you initiated the “Connect AWS Account” flow.
2. Enter the Display name
3. Enter the Role ARN of the IAM role you created (e.g. arn:aws:iam::<account_id>:role/armo-scan-role).
4. Click Connect account
5. If ARMO shows “Congratulations”, then the onboarding is successful.

Step 4: Confirm Data Ingestion & Monitoring

• In ARMO, check that the account appears in the Settings / Accounts / AWS table.
• Check that ARMO is showing the scanning results on the Compliance or Host pages (depending to the feature selection)
• Validate data freshness (e.g. that ARMO is syncing on its schedule).

Troubleshooting