Strata Copilot
    Next-Gen Trust Security
    : Configure AWS Connection
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Welcome to Integrations
    6. Cloud Providers Overview
    7. Configure AWS Connection

    Next-Gen Trust Security

    Configure AWS Connection

    Table of Contents

    Configure AWS Connection

    The following guide illustrates connecting Next-Gen Trust Security with Amazon Web Services (AWS).
    Enable Next-Gen Trust Security to provision new certificates in AWS Certificate Manager (ACM) for use with AWS services. This guide walks you through the integration process.

    Before You Begin

    You're going to need a few things to complete this procedure.
    • You will need an AWS account.
    • Your AWS account ID.
    • You will need at least one active VSatellite to provision certificates to AWS.
    • Venafi permissions for AWS IAM. You must specify these permissions when defining the role's permission policy. This policy defines what actions Venafi takes and what resources they can access. You can find this policy in the JSON file provided below.
    Note:

    Overview

    The following diagram illustrates the high-level steps for integrating Next-Gen Trust Security with AWS. In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.
    Architecture Diagram

    Step 1: Create a Cloud Provider

    1. Sign in to Next-Gen Trust Security.
    2. Click Configuration > Certificate Integrations > Cloud Providers.
    3. Click New.
    4. Enter a Name for the new cloud provider. This name will help Next-Gen Trust Security users to identify this cloud provider.
    5. Click Continue.
    6. Enter your 12 digit AWS Account ID obtained from AWS.
    7. Enter the IAM Role you want to create in your AWS Account. Provide a role name that carries significance and can be readily linked to this specific cloud provider. For this example we will use TlspcIntegrationRole.
    8. Click Save. At this point, your new provider details will be displayed in the right pane.
    9. From the right pane, select Properties, copy, and save the External ID for use later on. To learn more about the use of the External ID, check out the IAM User Guide.
    Important: Make sure to copy and save this External ID for use later on. You will need this External ID in Step 3: Create an AWS IAM role for Next-Gen Trust Security.

    Step 2: Create an AWS IAM Policy for Next-Gen Trust Security

    In this step, we will set up an IAM policy for your AWS Next-Gen Trust Security role, granting it the required permissions for full access to all AWS integrations provided by Next-Gen Trust Security.
    1. Create a new policy in the AWS IAM Console.
    2. Select the JSON tab, and then paste the Next-Gen Trust Security permission policies into the provided textbox.
    3. Click Next: Tags, then Next: Review.
    4. Assign a name to the policy, such as TlspcIntegrationPolicy, and provide a suitable description.
    5. Click Create policy.

    Step 3: Create an AWS IAM Role for Next-Gen Trust Security

    1. Create a new role in the AWS IAM Console.
    2. Select AWS account as the trusted entity type, and then select Another AWS account.
    3. Enter 569433869543 as the Account ID.
    4. Select Require external ID and enter the External ID copied in Step 1. Keep Require MFA disabled.
    5. Click Next.
    Tip: For additional information, see How to use an external ID.
    1. Select the policy you created in the previous step, and then click Next.
    2. Assign the role a name and provide a suitable description.
    Important: Make sure this role name is the SAME role name as the one you assigned in Step 1 when creating a cloud provider in Next-Gen Trust Security.
    1. Click Create Role.

    Step 4: Validate the Connection

    1. Click Configuration > Certificate Integrations > Cloud Providers.
    2. Find and select the new cloud provider created in Step 1, then click Validate.
    Note: You can also validate the connection by selecting the provider, clicking the more options (ellipsis) button, and selecting Validate.
    Note: A yellow warning icon indicates the provider has not yet been validated. This icon disappears after successful validation.
    Note: If you configure an AWS Organization account, the Organization ID appears in the Access Details section under Properties.
    If the warning icon remains, review the configuration steps above.

    Step 5: Add a Cloud Keystore

    1. Sign in to Next-Gen Trust Security.
    2. Click Insights > Cloud Keystores.
    3. Click New and select AWS.
    4. Enter a Name for the new cloud keystore.
    5. Select an AWS Cloud Provider.
    6. (Optional) If you configured an AWS Organization account with the selected cloud provider, select an AWS Organization Account.
    7. Select an ACM Region.
    8. (Optional) To discover certificates on your keystore, enable Start discovery immediately and Include expired certificates. Once complete, create a schedule.
    9. Click Save. The new cloud keystore appears in the Cloud Keystore list.

    Step 6: Provision a Certificate

    1. Click the More actions (ellipsis) icon next to the cloud keystore you created, and then select Provision.
      Tip: From this menu, you can also delete certificates if needed.
    2. From the dropdown, search for the certificate you want to provision, select it, and then click Provision. This creates a new certificate installation on the cloud keystore.
    3. (Optional) You can also re-provision, replace, or delete an existing certificate.
      • Select your Cloud Keystore to open the details panel.
      • Click the More actions (ellipsis) icon next to the certificate.
      • Select Re-provision, Replace, or Delete, and complete the steps in the user interface.
      Info:
      • Re-provision re-installs the current certificate on the cloud keystore.
      • Replace substitutes the current certificate with a different one.
      • Delete removes the certificate from the cloud keystore.

    Set up AWS Discovery Schedule

    1. In the Next-Gen Trust Security toolbar, click Installations > Cloud Keystores.
    2. Select the Cloud Keystore.
    3. In the right pane, select Discovery configuration and enable Scheduled discovery and Include expired certificates.
    4. Configure the schedule.
    5. Click Save.

    AWS IAM Permissions

    Authentication to AWS Resource Via IAM Role

    With IAM roles, you can grant access to Next-Gen Trust Security for your AWS resources without sharing your AWS security credentials. Instead, Next-Gen Trust Security can access your AWS resources by assuming a role that you create in your AWS account. You can use an IAM role to establish a trusted connection between your AWS account and Next-Gen Trust Security. Once this connection is established, you will define the role's permission policy, determining what actions Next-Gen Trust Security takes and what resources they can access.
    To correctly set up the AWS Integration, you must attach the relevant IAM policies in the following JSON file to the Next-Gen Trust Security AWS Integration IAM Role in your AWS account.
    {
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "acm:GetCertificate",
                "acm:DeleteCertificate",
                "acm:ImportCertificate",
                "acm:ListCertificates",
                "acm:AddTagsToCertificate",
                "ec2:DescribeRegions"
            ],
            "Resource":"*"
        }
    ]
}

    Additional IAM Permissions for Organization Management Accounts

    Next-Gen Trust Security supports integration with AWS Organization Management accounts. If you plan to use an AWS Organization Management account, additional IAM permissions are required.
    To allow Next-Gen Trust Security to discover and manage certificates across multiple accounts in your AWS Organization, attach the following additional policy in the following JSON file to the AWS Organization IAM Role used in the Cloud Provider configuration (Management account):
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSOrganizationPermissions",
      "Effect": "Allow",
      "Action": [
        "organizations:ListRoots",
        "organizations:ListChildren",
        "organizations:ListAccountsForParent",
        "organizations:ListAccounts",
        "organizations:DescribeOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:ListParents",
        "organizations:ListOrganizationalUnitsForParent"
      ],
      "Resource": "*"
    }
  ]
}
    These permissions allow Next-Gen Trust Security to detect AWS Organization Account structure and fetch associated member accounts when configuring Cloud Keystores.
    Important: If the Management Account also performs ACM operations, append the standard ACM permissions to this policy.

    © 2026 Palo Alto Networks, Inc. All rights reserved.