This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!


You need an AWS account with permissions to create and change IAM roles.

  1. We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.

  2. If you prefer not to use the wizard, click Connect Manually to access the manual form and follow the instructions below.

  3. If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only one device needs to be added to the Expel Workbench using the Delegated Admin account's primary region. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add one device in Workbench per account.

Step 1: Create an AWS IAM policy

In this step, we create a permissions policy to assign to the IAM Role.

  1. Log into the AWS console and navigate to the IAM service.

    Screen Shot 2021-03-05 at 7.40.38 AM.png
  2. Go to Policies and click Create Policy.

    Screen Shot 2021-03-05 at 7.41.28 AM.png
  3. Add the following permissions using the JSON tab.

    Screen Shot 2021-03-05 at 7.42.08 AM.png
       "Version": "2012-10-17",
        "Statement": [
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                 "Resource": "*"
  4. Review and name the policy.

    Screen Shot 2021-03-05 at 7.42.40 AM.png

Step 2: Create an IAM role

Create an IAM role to connect to your AWS GuardDuty Service.

  1. From within the IAM service, navigate to Roles and click Create Role.

    Screen Shot 2021-03-05 at 7.43.15 AM.png
  2. Select Another AWS account and fill out the required fields.

    • Account ID: 012205512454 (the Expel AWS account ID).

    • External ID: Provided to you by Expel.

      Screen Shot 2021-03-05 at 7.43.49 AM.png
  3. Attach the IAM policy from Step 1 to the Role.

    Screen Shot 2021-03-05 at 7.44.29 AM.png
  4. Give the Role a name and click Create Role.

    Screen Shot 2021-03-05 at 7.45.02 AM.png
  5. Navigate to the role you just created and copy the following information for onboarding in Workbench.

    • Role ARN.

    • External ID Value on the Trust relationships tab.

      Screen Shot 2021-03-05 at 7.45.35 AM.png

Step 3: Onboard AWS GuardDuty in Workbench

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.

  2. The Add Security Device page for AWS GuardDuty appears. Use the wizard or click Connect Manually to add your AWS GuardDuty installation to Workbench manually. The manual connection screen looks like this:

  3. Complete the following information:

    • For Name type the host name of the AWS GuardDuty device.

    • For Location type the geographic location of the appliance.

    • Role ARN: type the Role ARN from Step 2.

    • External ID: type the External ID from Step 2.

    • Role session name: Use a unique name to identify the role.

    • Authentication type: type STSASSUMEROLE.

    • Region: type region of Primary AWS GuardDuty account. For example us-east-1

    • Other fields can be left blank.