Skip to main content

Cloud Integrations

Cybrium connects to AWS, Azure, GCP, and Active Directory to discover cloud assets, assess identity and configuration posture, and — when authorized — execute cloud-native adversary techniques.

Screenshot: Cloud integrations page with four provider tiles

AWS

AWS supports two connection modes:

IAM User (access key). Create an IAM user with the Cybrium-provided read-only policy, generate an access key pair, and paste both values into the connection form. Fast to set up; appropriate for small accounts or short-lived assessments.

AssumeRole via CloudFormation (recommended). No long-lived keys leave your account. Download Cybrium's CloudFormation template, deploy it to the account you want to connect, and paste the resulting role ARN into Cybrium. The template creates a role that trusts Cybrium's assessment principal and requires a per-tenant External ID to prevent the confused-deputy problem. Cybrium then uses STS AssumeRole to obtain short-lived credentials every scan.

The Cloud Quick Setup wizard walks you through this end to end: it emits the template, provides a deep link that opens the CloudFormation console in the correct region with the parameters prefilled, polls for the stack's status, and captures the role ARN automatically on completion.

Azure

Connect via an Azure AD application registration. Create an app, grant it the Cybrium-specified Reader-level roles on the subscriptions in scope, generate a client secret or (preferred) a certificate, and paste the tenant ID, client ID, and credential into Cybrium. Certificate-based credentials are rotated on a tenant-configurable schedule.

GCP

Connect with a service account key. Create a service account in the project you want to connect, grant it the Cybrium-specified viewer roles at the project or folder level, generate a JSON key, and upload the file. Workload Identity Federation is supported as an alternative when the assessment runs from a federated principal.

Active Directory

On-prem Active Directory connects through a Cybrium on-prem agent. The agent runs as a Windows service on a domain-joined host and performs LDAP and Kerberos queries scoped to the read-only service account you register.

External ID Security

Every AWS AssumeRole connection requires an External ID that Cybrium generates per tenant and never reuses. Rotating the External ID rotates cross-account trust without touching Cybrium's principal.

Tenant admin only

Cloud connections require Tenant Admin.