Cloud Service Integrations
Overview
Cloud service integrations connect Bastion to your cloud infrastructure providers. Monitor assets, collect compliance evidence, and enforce security policies across your cloud environments.
Supported Providers
AWS
Amazon Web Services — EC2, S3, IAM, CloudTrail
Azure
Microsoft Azure — VMs, Storage, Entra ID, Activity Logs
GCP
Google Cloud Platform — Compute, Storage, IAM, Audit Logs
OVH
OVHcloud — Dedicated Servers, Public Cloud, Bare Metal
Scaleway
Scaleway — Instances, Object Storage, Kubernetes
Digital Ocean
DigitalOcean — Droplets, Spaces, Kubernetes
Benefits
| Feature | Benefit |
|---|---|
| Asset Discovery | Automatic cloud resource inventory |
| Configuration Audit | Detect misconfigurations and drift |
| Compliance Evidence | Collect evidence for frameworks automatically |
| Activity Monitoring | Track changes and access across providers |
AWS
Prerequisites
- AWS account with IAM permissions
- Ability to deploy CloudFormation stacks
Setup Steps
Deploy CloudFormation Template
Click the provided CloudFormation link in Bastion. This deploys a stack that creates a cross-account IAM role with read-only access.
Acknowledge IAM Resources
In the AWS CloudFormation console, acknowledge that the template creates IAM resources.
Copy Role ARN
Once the stack is created, copy the RoleArn from the stack outputs.
Select Regions
Choose one or more AWS regions to monitor.
Test Connection
Bastion validates the role and begins asset discovery.
Monitored Resources
| Resource | Checks |
|---|---|
| IAM | Users, roles, policies, MFA status |
| EC2 | Security groups, instances |
| S3 | ACLs, versioning, encryption |
| RDS | Database configurations |
| Lambda | Function configurations |
| EKS | Cluster settings |
| CloudTrail | Audit log configuration |
Connection Details
Bastion uses a cross-account IAM role with an external ID for secure access. The CloudFormation template creates a least-privilege policy granting read-only access to the resources above. Multi-region monitoring is supported — select all regions where you have infrastructure.
Azure
Prerequisites
- Azure subscription with admin access
- Access to Microsoft Entra (Azure AD)
Setup Steps
Register Application
In the Azure portal, go to Microsoft Entra > App registrations and register a new application named Bastion Compliance App. Select Accounts in this organizational directory only.
Create Client Secret
In the app's Certificates & secrets section, create a new client secret. Set expiration to 24 months. Copy the secret value immediately — it cannot be retrieved later.
Assign Reader Role
Go to your subscription's Access control (IAM) and assign the Reader role to the application.
Connect in Bastion
Enter the Tenant ID, Application (Client) ID, Client Secret, and Subscription ID.
Test Connection
Bastion validates the Reader role and begins resource discovery.
Required Credentials
| Field | Description |
|---|---|
| Tenant ID | Entra Directory (tenant) ID |
| Client ID | Application (client) ID |
| Client Secret | Application secret value |
| Subscription ID | Azure subscription ID |
Monitored Resources
| Resource | Checks |
|---|---|
| SQL/PostgreSQL/MySQL | Database configurations |
| Storage Accounts | Blob and file service settings |
| AKS | Kubernetes cluster configurations |
| Network Security Groups | Firewall rules |
The client secret expires after the configured duration. The integration will disconnect when the secret expires — set a reminder to rotate it before expiration.
GCP
Prerequisites
- GCP project with admin access
- IAM Service Account Credentials API enabled
- Cloud Resource Manager API enabled
Setup Steps
Create Service Account
Create a service account named bastion-security-auditor and assign the Viewer and Security Reviewer roles.
Enable APIs
Enable the IAM Service Account Credentials API and Cloud Resource Manager API on your project.
Create Workload Identity Federation Pool
Create a pool named Bastion Auditor and add an AWS provider using Bastion's AWS account ID.
Configure Attribute Mappings
Map
google.subjecttoassertion.arnand configure the AWS role attribute mapping.Grant Impersonation Access
Allow the federated identity to impersonate the service account.
Connect in Bastion
Provide the audience URI and service account impersonation URL.
Required Roles
| Role | Purpose |
|---|---|
roles/viewer | Inventory project resources |
roles/iam.securityReviewer | Review IAM policies |
Required APIs
| API | Purpose |
|---|---|
| IAM Service Account Credentials | Workload Identity Federation |
| Cloud Resource Manager | Project and resource access |
| Compute Engine | Instance inventory |
| Cloud SQL Admin | Database configurations |
| Cloud Storage | Bucket configurations |
| Kubernetes Engine | Cluster settings |
| Cloud Run Admin | Serverless configurations |
GCP uses Workload Identity Federation instead of static service account keys. This means no long-lived credentials are stored — Bastion authenticates via AWS-to-GCP federation.
OVH
Prerequisites
- OVHcloud account with admin access
Setup Steps
Create API Token
Visit the OVH API token creation page. The link is provided in Bastion with pre-configured permissions.
Fill Application Details
Set the application name to Bastion Compliance and validity to Unlimited.
Copy Credentials
Copy the Application Key, Application Secret, and Consumer Key. Store them securely — the secret and consumer key are only shown once.
Connect in Bastion
Enter all three credentials.
Test Connection
Bastion validates the API key and begins resource discovery.
Required Credentials
| Field | Description |
|---|---|
| Application Key | OVH API application key |
| Application Secret | OVH API application secret |
| Consumer Key | OVH API consumer key |
Required Permissions
| Method | Scope | Purpose |
|---|---|---|
GET | * | Read-only access to all resources |
POST | /cloud/project/*/user | Cloud project user management |
Monitored Resources
| Resource | Checks |
|---|---|
| Cloud Projects | Project configurations |
| Databases | PostgreSQL, MySQL, MongoDB, Redis, Kafka |
| Object Storage | S3-compatible storage settings |
| Instances | Compute instance configurations |
| Firewalls | Firewall rules |
Scaleway
Prerequisites
- Scaleway account with admin access
Setup Steps
Create Application
In the Scaleway IAM console, create an application named bastion-security-auditor.
Create Policy
Create a policy named bastion-security-auditor-policy scoped to all current and future projects.
Assign Permissions
Add AllProductsReadOnly, ProjectReadOnly, and IAMReadOnly permission sets to the policy, then attach the policy to the application.
Generate API Key
Generate an API key for the application with expiration set to Never.
Connect in Bastion
Enter the Access Key, Secret Key, and Organization ID.
Required Credentials
| Field | Format |
|---|---|
| Access Key | SCWXXXXXXXXXXXXXXXXX |
| Secret Key | UUID format |
| Organization ID | UUID format |
Required Permissions
| Permission Set | Purpose |
|---|---|
| AllProductsReadOnly | Read-only access to all Scaleway products |
| ProjectReadOnly | List and read projects |
| IAMReadOnly | User access controls and MFA verification |
Monitored Resources
| Resource | Checks |
|---|---|
| RDB | Managed database configurations |
| Kubernetes | Cluster settings |
| Instances | Compute configurations |
| Security Groups | Firewall rules |
| Object Storage | Bucket settings |
Digital Ocean
Prerequisites
- DigitalOcean account with admin access
Setup Steps
Authorize Bastion
Click Allow Bastion to access your Digital Ocean account in Bastion. You will be redirected to DigitalOcean's OAuth consent screen.
Grant Access
Approve read-only access to your DigitalOcean infrastructure.
Automatic Connection
Bastion automatically exchanges the authorization for access tokens and begins resource discovery.
Connection Details
DigitalOcean uses OAuth 2.0 with automatic token refresh. Bastion requests read-only scope — no write access to your infrastructure. Tokens are refreshed automatically before expiration.
Monitored Resources
| Resource | Checks |
|---|---|
| Droplets | Firewall rules, SSH restrictions |
| Apps | HTTPS enforcement, database encryption |
| Databases | Encryption, trusted sources, backups |
| Load Balancers | HTTPS redirect, health checks |
| Alerts | CPU, memory, storage monitoring policies |
Compliance Evidence
Cloud integrations provide evidence for:
| Control | Evidence |
|---|---|
| Asset Management | Cloud resource inventory |
| Access Control | IAM policies and audit logs |
| Data Protection | Encryption and storage configuration |
| Logging & Monitoring | Activity logs and alerts |
Troubleshooting
Connection Failed
- Verify credentials or role configuration
- Check network connectivity and firewall rules
- Confirm API is enabled on the provider
- Review permission grants
Resources Not Discovered
- Verify account permissions cover target resources
- Check region or project scope configuration
- Review scan logs for errors
- Confirm API quotas are not exceeded
Logs Not Syncing
- Check audit logging is enabled on the provider
- Verify log access permissions
- Review sync schedule and history
Best Practices
Use Least Privilege
Only grant read-only permissions needed for monitoring. Avoid write access.
Connect All Environments
Include production, staging, and development accounts for full visibility.
Enable Provider Logging
Ensure audit logging (CloudTrail, Activity Logs, Audit Logs) is enabled before connecting.
Review Regularly
Check discovered assets frequently to catch shadow IT and unauthorized resources.