Skip to content

docs: add AWS Workload Identity Federation integration guide#217

Open
girish-cheedala wants to merge 3 commits intomainfrom
docs/gcp-org-permissions-platform
Open

docs: add AWS Workload Identity Federation integration guide#217
girish-cheedala wants to merge 3 commits intomainfrom
docs/gcp-org-permissions-platform

Conversation

@girish-cheedala
Copy link
Contributor

@girish-cheedala girish-cheedala commented Mar 12, 2026

  • Add Workload Identity Federation (WIF) as a fourth AWS integration method, marked as recommended
  • Document step-by-step setup: OIDC provider creation, WIF role, scanner role, and optional org-level discovery
  • Highlight security benefits (no long-lived credentials, short-lived tokens, CloudTrail audit trail)
  • Update introduction to reference four connection methods instead of three

@girish-cheedala
fix doc for gcp org level integration
9bdfeae
@girish-cheedala
add project list field to gcp integration
2bdef1e
@girish-cheedala
docs: expand AWS integration methods to include Workload Identity Fed…
3a42898 
…eration

- Added a new integration method for AWS using Workload Identity Federation (WIF), emphasizing its security benefits and eliminating the need for long-lived credentials.
- Updated the documentation to include detailed steps for setting up WIF, including creating an OIDC identity provider and associated roles.
- Enhanced the prerequisites and benefits sections to provide clearer guidance for users.
@neo-by-projectdiscovery-dev
Copy link

neo-by-projectdiscovery-dev bot commented Mar 12, 2026
edited
Loading

Neo - PR Security Review

No security issues found

Highlights

  • Adds AWS Workload Identity Federation (WIF) as recommended fourth integration method
  • Documents step-by-step OIDC provider setup with properly scoped trust policies using Team ID constraints
  • Implements role separation pattern: WIF role for trust boundary, separate scanner roles for resource permissions
  • Includes optional organization-level discovery for automatic multi-account enumeration
Hardening Notes
  • Consider adding guidance to enable CloudTrail logging for the scanner role assumptions to track all federated access
  • Add a note recommending customers periodically review which accounts have PDScannerRole deployed to detect unauthorized role creation
  • Consider documenting how to add resource-based policies (e.g., S3 bucket policies) as defense-in-depth to prevent even read-only roles from accessing highly sensitive resources

Comment @pdneo help for available commands. · Open in Neo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehsandeep ehsandeep Awaiting requested review from ehsandeep

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@girish-cheedala