Skip to content

AWS Connector

The AWS connector is how Outbound discovers and manages egress in your account. You deploy a single CloudFormation stack; it creates a scoped cross-account IAM role that Outbound’s control plane assumes, plus a small set of supporting resources. This page walks through the setup and documents every permission we request and why we need it.

ResourcePurpose
IAM role cloudphilosnetworksThe cross-account role Outbound’s control plane assumes to discover your networks and manage gateways. Trust is restricted to CloudPhilos’s AWS account and a per-customer External ID.
IAM role & instance profile outbound-ec2-instance-roleAttached to gateway instances so they can fetch their reporting API key and be managed via AWS Systems Manager.
Discovery Lambda + EventBridge rulesListens for EC2 instance and ECS task state changes and registers new private IPs with Outbound, so flows are attributed to the right application within seconds of a workload starting.
Secrets Manager secret /cloudphilos/outbound/api-keyHolds the API key gateways use to report flow telemetry. The key stays in your account; Outbound pushes and rotates it.

Deploy the stack in each region you want Outbound to manage. For multi-region accounts, use CloudFormation StackSets.

  1. In the Outbound dashboard, go to Integrations → Add integration → AWS. The wizard generates your External ID and the CloudFormation template.
  2. Deploy the stack in your account (console, CLI, or StackSets for multiple regions).
  3. Back in the wizard, enter your account ID, the created role’s ARN, the External ID, an account name, and the regions to manage.
  4. Outbound assumes the role, verifies access, and starts a read-only network scan. Continue with Your First Gateway.

This is the role Outbound’s control plane uses. Its permissions fall into two groups: read-only discovery, and scoped writes for the gateway lifecycle. Write permissions are constrained to Outbound-tagged resources or specific ARNs wherever the IAM action supports it.

PermissionWhy we need it
ec2:DescribeVpcsDiscover the VPCs in your account so you can choose which ones Outbound manages.
ec2:DescribeSubnetsClassify subnets as public or private, and pair private subnets with a public subnet for gateway placement.
ec2:DescribeRouteTablesFind each subnet’s route table and its current default route — the basis of route table management.
ec2:DescribeNatGatewaysFind the AWS NAT Gateways a gateway will replace, and read their configuration.
ec2:DescribeInstancesTrack the state of gateway instances we launch, and attribute traffic to your EC2 workloads by private IP.
ec2:DescribeNetworkInterfacesMap private IP addresses to network interfaces for traffic attribution.
ec2:DescribeAddressesDiscover Elastic IPs, including the ones Outbound allocates and pools for the static IP guarantee.
ec2:DescribeSecurityGroupsFind or reuse the Outbound gateway security group in each VPC.
ecs:ListClusters, ecs:ListTasksEnumerate ECS clusters and tasks so container workloads can be attributed.
ecs:DescribeTasks, ecs:DescribeTaskDefinitionResolve an ECS task’s private IP and service name for per-application attribution.
cloudwatch:GetMetricDataRead your existing NAT Gateway’s traffic metrics (bytes, packets, connections) to recommend a gateway size.
sts:GetCallerIdentityVerify the role assumption and confirm which account we’re operating in.
PermissionResource scopeWhy we need it
ec2:RunInstancesInstance, volume, ENI, subnet, security group, AMI resourcesLaunch the Outbound gateway instance in your public subnet.
ec2:TerminateInstancesOnly instances tagged Name=cloudphilos-gatewayRemove a gateway during an upgrade/replacement or offboarding. Cannot touch your workloads.
ec2:ModifyInstanceAttributeOnly instances tagged Name=cloudphilos-gatewayDisable source/destination checking on the gateway — required for any instance that forwards traffic (NAT).
ec2:CreateSecurityGroupVPC / security groupCreate the gateway’s security group (one per VPC, ingress limited to your VPC CIDR).
ec2:AuthorizeSecurityGroupIngressOnly groups tagged cloudphilos-gateway-*Allow your VPC’s private subnets to send traffic to the gateway.
ec2:CreateTagsOutbound-created instances, security groups, Elastic IPsTag gateway resources so they’re identifiable — and so the scoped permissions above apply to them and nothing else.
ec2:CreateRoute, ec2:ReplaceRouteRoute tablesPoint the 0.0.0.0/0 route of private subnets at the gateway. Only the default route is ever touched — see Route Table Management.
ec2:AllocateAddress, ec2:AssociateAddress, ec2:ReleaseAddressElastic IPsAllocate and attach the gateway’s static Elastic IP, maintain the spare-IP pool that preserves your egress IP across replacements, and release IPs at offboarding.
ec2:DeleteNatGatewayNAT gatewaysRemove your old AWS NAT Gateway after traffic has been cut over to the Outbound gateway, so you stop paying for both.
secretsmanager:UpdateSecretOnly /cloudphilos/outbound/api-key*Push and rotate the telemetry API key stored in your account.
iam:PassRoleOnly the outbound-ec2-instance-role, and only to ec2.amazonaws.comAttach the instance profile to gateway instances at launch. Cannot pass any other role, or to any other service.

Gateway instance role (outbound-ec2-instance-role)

Section titled “Gateway instance role (outbound-ec2-instance-role)”

Attached to the gateway EC2 instances themselves.

PermissionWhy we need it
secretsmanager:GetSecretValue on /cloudphilos/outbound/api-keyThe gateway’s sensor fetches the API key it uses to report flow telemetry over HTTPS.
AmazonEC2RoleforSSM (AWS managed policy)Lets you and CloudPhilos manage the gateway via AWS Systems Manager (patching, session access for support) without opening SSH.
PermissionWhy we need it
ec2:DescribeInstances, ec2:DescribeTagsWhen an EC2 instance starts, look up its private IP, VPC, and name tags to register it for attribution.
ecs:DescribeTasks, ecs:DescribeTaskDefinitionSame, for ECS tasks.
secretsmanager:GetSecretValueAuthenticate to Outbound’s registration endpoint.
sts:GetCallerIdentityInclude the account ID in registrations.
AWSLambdaBasicExecutionRole (AWS managed policy)Write the Lambda’s own logs to CloudWatch Logs.

Deleting the CloudFormation stack immediately revokes all of Outbound’s access. Do this after following the offboarding guide — if you revoke access while Outbound still owns your default routes, you’ll be left managing the cutover back by hand.