Integrations

Amazon Web Services (AWS)

Configuring AWS integration

The AWS integration enables Tidal Control to automatically execute compliance tests on your AWS environment via a cross-account role configuration.

Requirements:

  • Super User role in Tidal Control
  • AWS IAM role management rights
  • Access to AWS Management Console

Configuration step-by-step plan

What we're going to do: We'll create a cross-account role in your AWS account that allows Tidal to retrieve compliance data. A cross-account role is an AWS mechanism that enables an external AWS account (Tidal) to securely access specific resources in your account without sharing credentials.

Configuration steps:

  1. Note Tidal information
  2. Create AWS IAM role
  3. Assign permissions
  4. Retrieve Role ARN
  5. Complete integration

Step 1: Note Tidal information

  • Go to Settings → Integrations in Tidal Control
  • Click the plus icon next to Amazon Web Services
  • Note the Tidal Account ID from the dialogue screen
  • Note the suggested External ID (Tidal automatically generates a secure ID)
  • Save these values - you'll need them for AWS configuration

Step 2: Create AWS IAM role

  • Log in to AWS Management Console
  • Navigate to IAM → Roles → Create role
  • Select "AWS account""Another AWS account"
  • Enter the Tidal Account ID (from step 1)
  • Tick "Require external ID"
  • Enter the External ID (from step 1)
  • Click "Next"

Step 3: Assign permissions

  • Search for policy "SecurityAudit"
  • Select SecurityAudit policy
  • Click "Next" to continue
  • (Optional) Add tags and click "Next"

Step 4: Retrieve Role ARN

  • Give the role the name "Tidal Integration"
  • Add description: "Read-only role for Tidal Control compliance monitoring"
  • Click "Create role"
  • Go to Roles overview and search for your new role
  • Click on role name to open details
  • Copy the Role ARN (save for Tidal configuration)

Step 5: Complete integration

  • Return to Tidal dialogue screen
  • Enter recognisable name for integration
  • Paste the Role ARN (from step 4)
  • Check External ID is correctly carried over
  • Open the Regions dropdown and select the AWS regions where your services run. You can select multiple regions. Check the top right of the AWS Console to see your current region.
  • Click "Create" to save the connection
Tip

Region setting: Select the regions where your AWS services run. Without a selection, the integration defaults to aws-global, which only covers global services like IAM, CloudFront, and Route 53.

Verification

After successful configuration, Settings → Integrations shows a "Connected" status for AWS, AWS-specific tests are available in the Tests section, and test refreshes deliver results without authentication errors.

Warning

Save External ID: Note the External ID securely - it's unique and needed for troubleshooting

Troubleshooting

Troubleshooting issues:

  • Verify Role ARN correctly copied (no extra spaces)
  • Check External ID matches between AWS and Tidal
  • Confirm SecurityAudit policy linked to role
  • Verify AWS Region correctly selected

Still having trouble?

Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.

Info

Gathering support info: Note which browser you're using, exact error messages, which steps you've already tried, and screenshots of the problem. This significantly speeds up the solution.

Next
Google Cloud Platform (GCP)