How ZEUS reads AWS (IAM role / access key, Boto3, GuardDuty, Security Hub)
This is the key lesson for anyone deploying ZEUS at a customer running AWS. It shows exactly how the connector authenticates and which APIs it queries — read-only.
Identity: IAM role (preferred) or access key
ZEUS offers two authentication models:
- Cross-account IAM role (recommended) — in the customer's account we
create a role with a trust relationship to the ZEUS account; the connector
assumes it via
AssumeRoleand receives temporary credentials. No long-term secrets. - Access key — for a single account or environments without Organizations. Less preferred (a long-term secret), but supported.
In both variants the identity carries only the ReadOnlyAccess and
SecurityAudit policies — no permissions to modify anything.
The role's trust policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<konto-zeus>:root" },
"Action": "sts:AssumeRole",
"Condition": { "StringEquals": { "sts:ExternalId": "<unikalne-id>" } }
}]
}
Tip: ExternalId protects against the "confused deputy" attack. ZEUS always requires it when configuring a cross-account role — it is the industry standard for third-party access.
Scan mechanics (Boto3)
The connector is built on Boto3 (see lesson 04). After assuming the role:
sts = boto3.client("sts")
creds = sts.assume_role(
RoleArn="arn:aws:iam::111122223333:role/zeus-readonly",
RoleSessionName="zeus-scan",
ExternalId="<unikalne-id>",
)["Credentials"]
# ...następnie klienci EC2, S3, RDS, IAM, GuardDuty, SecurityHub z tych creds
The scan uses paginators (completeness), retry with backoff (throttling)
and exclusively Describe/List/Get operations.
Data sources
| Source | What it reads | What for |
|---|---|---|
| EC2 / VPC API | instances, networks, security groups | inventory + exposure |
| S3 / RDS API | buckets, databases, encryption | data posture |
| IAM API | users, roles, policies | identity posture |
| GuardDuty | findings (threats) | SecOps |
| Security Hub | aggregated findings | posture + compliance |
| Access Analyzer | external access | least privilege |
Multi-cloud consolidation
All the streams from AWS flow into the same data model as Azure and GCP. As a result the customer sees one security posture dashboard, one alert queue (GuardDuty + Defender + SCC) and one set of compliance evidence (NIS2, DORA, ISO 27001) — regardless of how many clouds there are.
Track summary
From accounts and IAM, through networking, compute, Boto3, security services and costs, to the ZEUS connector — you now have the full picture for understanding how ZEUS "sees" a customer's AWS environment and for leading a read-only reader deployment.