CSOAR-3365: AWS IAM Role ARN based Authentication (#5630)

* CSOAR-3365: Updated S3 doc

* CSOAR-3365: updated the AWS inegrations

* CSOAR-3365: add iam-role.md file

* CSOAR-3365: changed changelog

* CSOAR-3365: added IAM info

* CSOAR-3365: udpated the doc link

* CSOAR-3365: updated info

* CSOAR-3365: added permissions

* CSOAR-3365: added permissions details for sqs and cloudtrail

* CSOAR-3365: implemeneted review comments

* CSOAR-3365: updated the iam-conifguration.md file

* CSOAR-3365: updated dates

* CSOAR-3365: minor change

* Updates from review

---------

Co-authored-by: John Pipkin <[email protected]>

Author: mahendrak-sumo

docs/platform-services/automation-service/app-central/integrations/aws-cloudtrail.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.2  
-Updated: Jun 15, 2023***
+***Version: 1.3  
+Updated: August 19, 2025***
 
 Interact with AWS CloudTrail through Trails and Events.
 
@@ -33,17 +33,20 @@ import IntegrationsAuthAWS from '../../../../reuse/integrations-authentication-a
 import AWSRegions from '../../../../reuse/automation-service/aws/region.md';
 import AWSAccesskey from '../../../../reuse/automation-service/aws/access-key.md';
 import AWSSecret from '../../../../reuse/automation-service/aws/secret.md';
+import AWSIAMRole from '../../../../reuse/automation-service/aws/iam-role.md';
 import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
 import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
 import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
 import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
 import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
+import IAMConfiguration from '../../../../reuse/automation-service/aws/iam-configuration.md';
 
 <IntegrationsAuth/>
 
 * <IntegrationLabel/>
 * <AWSAccesskey/>
 * <AWSSecret/>
+* <AWSIAMRole/>
 * <AWSRegions/>
 * <IntegrationTimeout/>
 * <IntegrationCertificate/>
@@ -52,13 +55,29 @@ import IntegrationTimeout from '../../../../reuse/automation-service/integration
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/aws/aws-cloudtrail-configuration.png')} style={{border:'1px solid gray'}} alt="AWS CloudTrail configuration" width="400"/>
 
+For information about AWS CloudTrail, see [CloudTrail documentation](https://docs.aws.amazon.com/cloudtrail/).
+
 <IntegrationsAuthAWS/>
 
-For information about AWS CloudTrail, see [CloudTrail documentation](https://docs.aws.amazon.com/cloudtrail/).
+### AWS IAM role-based access
+
+<IAMConfiguration/>
+
+## Required Permissions
+```
+  cloudtrail:DescribeTrails
+  cloudtrail:LookupEvents
+  cloudtrail:CreateTrail
+  cloudtrail:DeleteTrail
+  cloudtrail:StartLogging
+  cloudtrail:StopLogging
+  cloudtrail:UpdateTrail
+```
 
 ## Change Log
 
 * October 1, 2019 - First upload
 * March 10, 2022 - Logo
 * May 12, 2023 (v1.1) - Integration refactored
 * June 15, 2023 (v1.2) - Updated the integration with Environmental Variables
+* August 19, 2025 (v1.3) - Added support for IAM role authentication - Users can now authenticate using an AWS IAM Role in addition to access key–based authentication.

docs/platform-services/automation-service/app-central/integrations/aws-route53.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.1  
-Updated: Jun 21, 2023***
+***Version: 1.2  
+Updated: August 19, 2025***
 
 Interact with DNS records through AWS Route 53.
 
@@ -31,29 +31,36 @@ import IntegrationsAuthAWS from '../../../../reuse/integrations-authentication-a
 import AWSRegions from '../../../../reuse/automation-service/aws/region.md';
 import AWSAccesskey from '../../../../reuse/automation-service/aws/access-key.md';
 import AWSSecret from '../../../../reuse/automation-service/aws/secret.md';
+import AWSIAMRole from '../../../../reuse/automation-service/aws/iam-role.md';
 import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
 import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
 import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
 import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
 import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
+import IAMConfiguration from '../../../../reuse/automation-service/aws/iam-configuration.md';
 
 <IntegrationsAuth/>
 
 * <IntegrationLabel/>
 * **URL**. Enter your [AWS Route 53 URL](https://docs.aws.amazon.com/general/latest/gr/r53.html), for example, `route53.amazonaws.com`.
 * <AWSAccesskey/>
 * <AWSSecret/>
+* <AWSIAMRole/>
 * <AWSRegions/>
 * <IntegrationEngine/>
 * <IntegrationProxy/>
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/aws/aws-route53-configuration.png')} style={{border:'1px solid gray'}} alt="AWS Route 53 configuration" width="400"/>
 
+For information about AWS Route 53, see [Route 53 documentation](https://docs.aws.amazon.com/route53/).
+
 <IntegrationsAuthAWS/>
 
-For information about AWS Route 53, see [Route 53 documentation](https://docs.aws.amazon.com/route53/).
+### AWS IAM role-based access
+<IAMConfiguration/>
 
 ## Change Log
 
 * December 24, 2019 - First upload
 * June 21, 2023 (v1.1) - Updated the integration with Environmental Variables
+* August 19, 2025 (v1.2) - Added support for IAM role authentication - Users can now authenticate using an AWS IAM Role in addition to access key–based authentication.

docs/platform-services/automation-service/app-central/integrations/aws-s3.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.2  
-Updated: Jun 28, 2023***
+***Version: 1.3  
+Updated: August 19, 2025***
 
 Interact with AWS S3 buckets, objects, and policies.
 
@@ -35,17 +35,20 @@ import IntegrationsAuthAWS from '../../../../reuse/integrations-authentication-a
 import AWSRegions from '../../../../reuse/automation-service/aws/region.md';
 import AWSAccesskey from '../../../../reuse/automation-service/aws/access-key.md';
 import AWSSecret from '../../../../reuse/automation-service/aws/secret.md';
+import AWSIAMRole from '../../../../reuse/automation-service/aws/iam-role.md';
 import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
 import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
 import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
 import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
 import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
+import IAMConfiguration from '../../../../reuse/automation-service/aws/iam-configuration.md';
 
 <IntegrationsAuth/>
 
 * <IntegrationLabel/>
 * <AWSAccesskey/>
 * <AWSSecret/>
+* <AWSIAMRole/>
 * <AWSRegions/>
 * **URL**. Enter your [Amazon S3 URL](https://docs.aws.amazon.com/general/latest/gr/s3.html), for example, `s3.us-east-1.amazonaws.com`.
 * <IntegrationEngine/>
@@ -55,8 +58,29 @@ import IntegrationTimeout from '../../../../reuse/automation-service/integration
 
 <IntegrationsAuthAWS/>
 
+### AWS IAM role-based access
+
+<IAMConfiguration/>
+
+## Required Permissions
+```
+  s3:GetBucketPolicy
+  s3:ListBucket
+  s3:ListAllMyBuckets
+  s3:GetObject
+  s3:PutObject
+  s3:CreateBucket
+  s3:DeleteBucket
+  s3:DeleteBucketPolicy
+  s3:DeleteObject
+  s3:PutBucketPolicy
+```
+
 ## Change Log
 
 * October 3, 2019 - First upload
 * June 21, 2023 (v1.1) - Updated the integration with Environmental Variables
 * June 28, 2023 (v1.2) - Visibility of the Resource fields changed
+* August 19, 2025 (v1.3) - 
+  * Added IAM Role Support - Users can now authenticate using an AWS IAM Role in addition to access key–based authentication.
+  * Added input validation in the *Download File* action.

docs/platform-services/automation-service/app-central/integrations/aws-simple-notification-service.md

@@ -7,8 +7,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.2  
-Updated: Jun 15, 2023***
+***Version: 1.3  
+Updated: August 19, 2025***
 
 Amazon Simple Notification Service (SNS) is a pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients.
 
@@ -28,17 +28,20 @@ import IntegrationsAuthAWS from '../../../../reuse/integrations-authentication-a
 import AWSRegions from '../../../../reuse/automation-service/aws/region.md';
 import AWSAccesskey from '../../../../reuse/automation-service/aws/access-key.md';
 import AWSSecret from '../../../../reuse/automation-service/aws/secret.md';
+import AWSIAMRole from '../../../../reuse/automation-service/aws/iam-role.md';
 import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
 import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
 import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
 import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
 import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
+import IAMConfiguration from '../../../../reuse/automation-service/aws/iam-configuration.md';
 
 <IntegrationsAuth/>
 
 * <IntegrationLabel/>
 * <AWSAccesskey/>
 * <AWSSecret/>
+* <AWSIAMRole/>
 * <AWSRegions/>
 * <IntegrationTimeout/>
 * <IntegrationCertificate/>
@@ -47,9 +50,13 @@ import IntegrationTimeout from '../../../../reuse/automation-service/integration
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/misc/aws-simple-notification-service-configuration.png')} style={{border:'1px solid gray'}} alt="AWS Simple Notification Service configuration" width="400"/>
 
+For information about Amazon Simple Notification Service, see [Amazon Simple Notification Service documentation](https://docs.aws.amazon.com/sns/).
+
 <IntegrationsAuthAWS/>
 
-For information about Amazon Simple Notification Service, see [Amazon Simple Notification Service documentation](https://docs.aws.amazon.com/sns/).
+### AWS IAM role-based access
+
+<IAMConfiguration/>
 
 ## External Libraries
 
@@ -61,3 +68,4 @@ For information about Amazon Simple Notification Service, see [Amazon Simple Not
 * March 3, 2023 (v1.1)
 	+ Updated integration Fields Label
 * June 15, 2023 (v1.2) - Updated the integration with Environmental Variables
+* August 19, 2025 (v1.3) - Added IAM Role Support - Users can now authenticate using an AWS IAM Role in addition to access key–based authentication.

docs/platform-services/automation-service/app-central/integrations/aws-sqs.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.2  
-Updated: Jun 15, 2023***
+***Version: 1.3  
+Updated: August 19, 2025***
 
 Using the integration with SQS, you can gather current queues, add a new queue, delete and purge existing queues during an active investigation.
 
@@ -31,29 +31,47 @@ import IntegrationsAuthAWS from '../../../../reuse/integrations-authentication-a
 import AWSRegions from '../../../../reuse/automation-service/aws/region.md';
 import AWSAccesskey from '../../../../reuse/automation-service/aws/access-key.md';
 import AWSSecret from '../../../../reuse/automation-service/aws/secret.md';
+import AWSIAMRole from '../../../../reuse/automation-service/aws/iam-role.md';
 import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
 import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
 import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
 import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
 import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
+import IAMConfiguration from '../../../../reuse/automation-service/aws/iam-configuration.md';
 
 <IntegrationsAuth/>
 
 * <IntegrationLabel/>
 * <AWSAccesskey/>
 * <AWSSecret/>
+* <AWSIAMRole/>
 * <AWSRegions/>
 * <IntegrationEngine/>
 * <IntegrationProxy/>
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/aws/aws-sqs-configuration.png')} style={{border:'1px solid gray'}} alt="AWS SQS configuration" width="400"/>
 
+For information about AWS SQS, see [SQS documentation](https://docs.aws.amazon.com/sqs/).
+
 <IntegrationsAuthAWS/>
 
-For information about AWS SQS, see [SQS documentation](https://docs.aws.amazon.com/sqs/).
+### AWS IAM role-based access
+
+<IAMConfiguration/>
+
+## Required Permissions
+```
+  sqs:ListQueues
+  sqs:GetQueueUrl
+  sqs:CreateQueue
+  sqs:DeleteQueue
+  sqs:PurgeQueue
+  sqs:SendMessage
+```
 
 ## Change Log
 
 * January 16, 2020 - First upload
 * March 10, 2022 - Logo
 * June 15, 2023 (v1.2) - Updated the integration with Environmental Variables
+* August 19, 2025 (v1.3) - Added support for IAM role authentication - Users can now authenticate using an AWS IAM Role in addition to access key–based authentication.

docs/platform-services/automation-service/configure-authentication-for-integrations.md

@@ -6,6 +6,7 @@ description: Learn how to configure authentication for automation integrations.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import IAMConfiguration from '../../reuse/automation-service/aws/iam-configuration.md';
 
 This article provides a quick reference to configure authentication for [automation integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/) for the Automation Service and Cloud SOAR. Refer to the individual integrations articles for detailed information on setup, usage, and features. 
 
@@ -119,7 +120,9 @@ For AWS service endpoints information, see [AWS documentation](https://docs.aws.
 
 #### Authentication method
 
-AWS recommends using IAM roles with temporary security credentials over long-term access keys for enhanced security. However, our AWS integrations currently support only access keys due to the need for dynamically managed credentials. 
+AWS recommends using IAM roles with temporary security credentials over long-term access keys for enhanced security.
+
+<IAMConfiguration/>
 
 #### Regional configuration
 

docs/reuse/automation-service/aws/access-key.md

@@ -1 +1 @@
-**Access Key ID**. Enter an AWS [access key ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) to provide authentication. (Although AWS recommends using IAM roles with temporary security credentials instead of access keys, our AWS integrations currently support only access keys due to the need for dynamically managed credentials.)
+**Access Key ID**. Enter an AWS [access key ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) to provide authentication. (Although AWS recommends using IAM roles with temporary security credentials instead of access keys.)

docs/reuse/automation-service/aws/iam-configuration.md

@@ -0,0 +1,19 @@
+To enable AWS IAM role-based authentication without sharing access keys and secrets, follow the steps below:
+1. [Create an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) in your AWS account. Follow AWS’s guide to create a new IAM role.
+2. [Attach required policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) to the role depending on the AWS services you want to allow access to (for example, `AmazonEC2ReadOnlyAccess`, `AWSWAFFullAccess`, etc.).
+3. [Update the trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) to allow Sumo Logic’s AWS account to assume this role. This involves editing the trust relationship JSON to include Sumo Logic’s AWS account ID as a trusted principal.
+   Example trust policy:
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": "arn:aws:iam::<sumo-account-id>:root"
+         },
+         "Action": "sts:AssumeRole"
+       }
+     ]
+   }
+   ```

docs/reuse/automation-service/aws/iam-role.md

@@ -0,0 +1 @@
+**IAM Role**. Enter an AWS IAM Role ARN to provide authentication. See the AWS documentation on [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) for more information.