Skip to main content

Overview

Formal integrates with cloud providers to enable automatic resource discovery, cloud-native deployments, and secure access to cloud services. Cloud integrations eliminate manual resource configuration and keep your Formal inventory in sync with your cloud infrastructure.

Supported Cloud Providers

AWS

RDS, Redshift, EKS, EC2, ECS, S3

GCP

Coming soon

Azure

Coming soon

AWS Integration

The AWS Cloud Integration uses cross-account IAM roles to securely access your AWS infrastructure for resource autodiscovery and log forwarding.

Features

Automatically discover PostgreSQL, MySQL, and MongoDB RDS instances and add them as Formal resources.
Discover Redshift clusters and data warehouses.
Discover EKS clusters for Kubernetes access control.
Discover EC2 instances for SSH access.
Discover ECS clusters, services, and containers for SSH access via the Desktop App.
Discover S3 buckets for access via the Desktop App.
Forward Formal Connector logs to S3 buckets for long-term storage and compliance.

Architecture

Formal uses AWS’s Cross-Account IAM Role architecture:
  1. CloudFormation Stack: Deploys an IAM role in your AWS account
  2. IAM Role: Grants Formal specific, scoped permissions
  3. External ID: Unique identifier prevents unauthorized access
  4. Role Chaining: Formal uses IAM User → IAM Role → Your IAM Role for added security

Supported Regions

The CloudFormation stack can be deployed in:
  • us-east-1, us-east-2, us-west-1, us-west-2
  • eu-central-1, eu-west-1, eu-west-2, eu-west-3
The IAM role provides global access, allowing Formal to discover resources across all AWS regions.

Setup

  • Web Console
  • Terraform
1

Navigate to Cloud Accounts

Go to Cloud Accounts
2

Add Integration

Click Add Integration
3

Select AWS

Choose AWS as your cloud provider
4

Deploy CloudFormation

Click the provided link to deploy the CloudFormation template in your AWS accountThe template creates an IAM role with the necessary permissions
5

Configure Permissions

Enable the features you need:
  • RDS Autodiscovery
  • Redshift Autodiscovery
  • EKS Autodiscovery
  • EC2 Autodiscovery
  • ECS Autodiscovery
  • S3 Autodiscovery
  • S3 Write Access (for log forwarding)
6

Complete Setup

Once CloudFormation deployment completes, your AWS integration is active

CloudFormation Parameters

ParameterDescriptionDefault
EnableRDSAutodiscoveryDiscover RDS databases (PostgreSQL, MySQL, MongoDB)false
EnableRedshiftAutodiscoveryDiscover Redshift clustersfalse
EnableEKSAutodiscoveryDiscover EKS clustersfalse
EnableEC2AutodiscoveryDiscover EC2 instancesfalse
EnableECSAutodiscoveryDiscover ECS clusters and containersfalse
EnableS3AutodiscoveryDiscover S3 bucketsfalse
AllowS3AccessAllow log forwarding to S3false
S3BucketARNS3 bucket ARN for logs (if AllowS3Access is true)""

Versioning

The CloudFormation template is versioned for stability: 
aws {
  template_version = "1.2.0"  # Pin to specific version
  # ...
}
Benefits of version pinning:
  • Predictable IAM permissions
  • Controlled feature adoption
  • Easier compliance auditing
  • Prevents unexpected changes
Using latest: 
aws {
  template_version = "latest"  # Always use newest version
  # ...
}
See the CloudFormation Changelog for version history.

Security

Formal implements multiple security layers:
  1. Role Chaining: IAM User → IAM Role in Formal account → IAM Role in your account
  2. External ID: Unique per-customer identifier prevents cross-tenant access
  3. Least Privilege: CloudFormation grants only required permissions
  4. Scoped Permissions: Enable only the features you need
Example: If you only enable RDS autodiscovery, the IAM role cannot access EKS, EC2, or S3.

Resource Autodiscovery

Once the integration is active:
  1. Automatic Discovery: Formal scans your AWS account for resources
  2. Resource Creation: Discovered resources appear in Resources
  3. Continuous Sync: New resources are automatically added
  4. Tagging: AWS resource tags are synced to Formal
Example discovered resources:
  • RDS instance prod-postgres-1 → Formal resource prod-postgres-1
  • EKS cluster production-eks → Formal resource production-eks
  • EC2 instance i-abc123 → Formal resource ec2-i-abc123

Manual Resource Configuration

Autodiscovered resources are read-only in Formal by default. To customize:
  1. Create a manual resource with the same hostname
  2. Configure native users, policies, etc.
  3. Formal prioritizes manual configuration over autodiscovered settings

GCP Integration (Coming Soon)

Features planned:
  • Cloud SQL autodiscovery
  • GKE cluster autodiscovery
  • Compute Engine autodiscovery
  • BigQuery resource management

Azure Integration (Coming Soon)

Features planned:
  • Azure SQL autodiscovery
  • AKS cluster autodiscovery
  • VM autodiscovery
  • Cosmos DB integration

Use Cases

Centralized Resource Management

Automatically maintain an inventory of all databases and infrastructure: 
# Enable all autodiscovery features
resource "formal_integration_cloud" "aws_full" {
  name         = "aws-full-discovery"
  cloud_region = "us-east-1"

  aws {
    template_version              = "1.2.0"
    enable_rds_autodiscovery      = true
    enable_redshift_autodiscovery = true
    enable_eks_autodiscovery      = true
    enable_ec2_autodiscovery      = true
    enable_ecs_autodiscovery      = true
  }
}

Compliance Logging

Forward all Connector logs to S3 for long-term retention: 
resource "formal_integration_cloud" "aws_logs" {
  name         = "aws-log-archive"
  cloud_region = "us-east-1"

  aws {
    template_version = "1.2.0"
    allow_s3_access  = true
    s3_bucket_arn    = "arn:aws:s3:::formal-logs-archive/*"
  }
}

resource "formal_integration_log" "s3" {
  name = "s3-log-drain"

  s3 {
    s3_bucket_name       = "formal-logs-archive"
    cloud_integration_id = formal_integration_cloud.aws_logs.id
  }
}

Multi-Account Strategy

Integrate multiple AWS accounts: 
# Production account
resource "formal_integration_cloud" "aws_prod" {
  name         = "aws-production"
  cloud_region = "us-east-1"

  aws {
    template_version = "1.2.0"
    enable_rds_autodiscovery = true
  }
}

# Staging account
resource "formal_integration_cloud" "aws_staging" {
  name         = "aws-staging"
  cloud_region = "us-west-2"

  aws {
    template_version = "1.2.0"
    enable_rds_autodiscovery = true
  }
}

Troubleshooting

Possible causes:
  • Insufficient IAM permissions to create roles
  • Stack name conflict
  • Region not supported
Solution:
  1. Ensure deploying user has IAM role creation permissions
  2. Use unique stack name provided by Formal
  3. Deploy in supported region
Possible causes:
  • Autodiscovery not enabled for that resource type
  • Resources in unsupported region
  • IAM permissions insufficient
Solution:
  1. Verify autodiscovery toggle is enabled in Formal console
  2. Check resources exist in AWS
  3. Review CloudFormation IAM role permissions
  4. Wait a few minutes for initial scan
Possible causes:
  • S3 bucket ARN incorrect
  • IAM role lacks S3 permissions
  • Log integration not configured
Solution:
  1. Verify s3_bucket_arn matches your bucket
  2. Ensure allow_s3_access is enabled
  3. Create a Log Integration pointing to this cloud integration

Best Practices

Use specific version numbers instead of latest for production to ensure predictable behavior.
Only enable autodiscovery for resources you want to manage through Formal to minimize IAM permissions.
Create separate integrations for each AWS account (production, staging, dev) for better isolation.
Periodically review autodiscovered resources to ensure they match your actual infrastructure.

Next Steps

SIEM Integration

Forward logs to S3 or SIEM

Add Resources

Manually configure discovered resources

Terraform

Manage integrations as code

View Resources

See all autodiscovered resources