Walkthrough: Onboarding the AWS Cloud connector

This topic was edited by a BMC Contributor and has not been approved.  More information.

This walkthrough shows you how to onboard the AWS Cloud connector to specify and evaluate the AWS account details against the OOB AWS policies at a scheduled interval.

The AWS Cloud connector, hosted by BMC Helix Cloud Security in the AWS platform, gathers data about the following AWS services:

  • CloudTrails domains
  • ElasticSearch
  • Identity and Access Management (IAM) credentials
  • Password Policy
  • Rapid Database System (RDS)
  • S3 bucket
  • SecurityGroups
  • Key Management Service (KMS)
  • Virtual Private Cloud (VPC)
  • EC2-ELB
  • EC2-Instances
  • Simple Notification Service (SNS)
  • Config

A company's Line Of Business (LOB) IT personnel and compliance officers are responsible for ensuring that their Amazon Web Services (AWS) account adheres to industry and organizational standards. To begin this analysis, they want to set up a AWS Cloud connector that will enable them to collect data so that they can evaluate resources and remediate any violations against AWS polices.

StepExample screens
Log on to BMC Helix Cloud Security with your registered credentials and select Configure icon > Connectors.

On the Manage Connector page, select Add Connector.

Under Connector Type > Cloud Based Connectors (Hosted), click AWS Cloud Connector and then click Continue.

On the Configure Connector screen:

  1. Specify a name for the connector.
  2. If using Key Based authentication, specify the following:

    1. AWS Account Access Key for the account to be scanned.

    2. AWS Account Secret Key for the account to be scanned.

  3. If using Role Based authentication, specify the following:

    1. Role ARN for the user created in IAM.
    2. External ID to be used for the user.

3. Select required mode from the two different Collection Mode available, namely, On Demand and Scheduled.

1. On Demand: You can run the scan whenever you choose.

2. Scheduled: You must set the time in which AWS resources should be collected and evaluated periodically.

4. Under AWS Partition, select the required option from
AWS (default) or AWS GovCloud (US).

AWS GovCloud (US) is used for scanning resources in AWS Gov cloud region(us-gov-west-1).

<writer note: Screenshot needs to be changed>

On Demand ModeScheduled Mode
AWS (default)AWS GovCloud (US)

Click Continue.

Best practice

For security reasons, BMC recommends that you create a separate IAM user for the AWS account with read-only privileges for the services that you would like to evaluate.

On the Select Policies screen, clear the default compliance policies that you would not use to evaluate your AWS account.

Click Continue.
The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set. Because the AWS Cloud connector resides in the cloud, the connector is always running.

However, for the on-premise connectors, you need to unzip the connector download and then execute the run.bat file or the run.sh file to start the connector.

Where to go from here

For an example of an AWS use case where compliance violations are identified, see Walkthough: Identifying AWS compliance violations.

To learn more about all the options available in Cloud Security for working with connectors, see Managing connectors.

Back to top

Was this page helpful? Yes No Submitting... Thank you


  1. Amit Subhedar

    I would recommend we remove the list of services and have a generic cloud-native comment.

    The current list of services that we support is below, and we do hope to increase it as we add more contents

    Certificate ManagerYes
    CloudWatch EventsYes
    Elasticsearch ServiceYes
    Key Management ServiceYes
    Relational Database ServiceYes
    Jun 26, 2018 09:22