AWS cloud discovery — IAM policy
The read-only IAM policy that lets Intertrace discover AI agents and workloads across your AWS account.
What Intertrace reads
Intertrace needs read-only permissions to scan your AWS account for AI agents and workloads. Every permission is List*, Get*, Describe*, or Lookup*. Intertrace never writes, creates, or deletes resources.
Bedrock Agents — ListAgents, GetAgent, ListAgentActionGroups, ListAgentKnowledgeBases, ListKnowledgeBases, ListGuardrails, ListFoundationModels.
Bedrock AgentCore — ListAgentRuntimes, GetAgentRuntime.
ECS — ListClusters, ListServices, DescribeServices, DescribeTaskDefinition.
Lambda — ListFunctions, GetFunctionConfiguration, ListTags.
SageMaker — ListEndpoints, DescribeEndpoint.
Step Functions — ListStateMachines, DescribeStateMachine.
CloudTrail — LookupEvents (proves recent Bedrock/SageMaker invocations).
IAM — ListAttachedRolePolicies, ListRolePolicies, GetPolicy, GetPolicyVersion, GetRolePolicy (analyzes agent execution roles for data-store access).
Option A — Read-only IAM user (simplest)
Create an IAM user named intertrace-discovery with no console access. Attach the inline policy below. Create an access key and paste it into Intertrace under Read-only access keys.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BedrockAgents",
"Effect": "Allow",
"Action": [
"bedrock:ListAgents",
"bedrock:GetAgent",
"bedrock:ListAgentActionGroups",
"bedrock:ListAgentKnowledgeBases",
"bedrock:ListKnowledgeBases",
"bedrock:ListGuardrails",
"bedrock:ListFoundationModels"
],
"Resource": "*"
},
{
"Sid": "BedrockAgentCore",
"Effect": "Allow",
"Action": [
"bedrock-agentcore:ListAgentRuntimes",
"bedrock-agentcore:GetAgentRuntime"
],
"Resource": "*"
},
{
"Sid": "Ecs",
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition"
],
"Resource": "*"
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunctionConfiguration",
"lambda:ListTags"
],
"Resource": "*"
},
{
"Sid": "SageMaker",
"Effect": "Allow",
"Action": [
"sagemaker:ListEndpoints",
"sagemaker:DescribeEndpoint"
],
"Resource": "*"
},
{
"Sid": "StepFunctions",
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:DescribeStateMachine"
],
"Resource": "*"
},
{
"Sid": "CloudTrail",
"Effect": "Allow",
"Action": ["cloudtrail:LookupEvents"],
"Resource": "*"
},
{
"Sid": "IamRoleAnalysis",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRolePolicy"
],
"Resource": "*"
}
]
}Option B — Cross-account IAM role
For enterprises that prefer not to hand out long-lived access keys. Intertrace assumes a role in your account using an external ID. Requires the Intertrace platform to have its own AWS credentials on the dashboard host. If unsure, use Option A.
Deploy with CloudFormation (one command). The template is at docs/templates/intertrace-discovery-role.json:
aws cloudformation deploy \
--template-file docs/templates/intertrace-discovery-role.json \
--stack-name intertrace-discovery \
--parameter-overrides \
ExternalId=<from the AWS cloud form> \
IntertraceAccountId=<provided by Intertrace> \
--capabilities CAPABILITY_NAMED_IAMAfter the stack deploys, copy the Role ARN from the stack outputs and paste it into Intertrace along with the external ID.
Removing access
Delete the access key (Option A) or the CloudFormation stack / role (Option B). Discovery stops immediately. Previously imported Assets remain in Intertrace until you delete them.