AWS#
Connect AWS accounts to Lens Agents. Agents get temporary credentials via STS AssumeRole, with every API call attributed in CloudTrail.
How It Works#
Agents access AWS through temporary session credentials:
- Agent requests access to an AWS connection
- Lens Agents calls STS AssumeRole to generate temporary credentials
- Session tags are attached: agent identity, organization, project, connection name
- Credentials are resolved per-request, never stored in the agent's environment
- Tags flow through to CloudTrail — every AWS API call is traceable to a specific agent
What Agents Can Do#
With an AWS connection, agents can use the AWS CLI and SDK for:
- EKS — cluster discovery, cluster management
- S3 — read and write objects (within IAM scope)
- EC2 — describe instances, manage resources
- CloudWatch — query metrics and logs
- Any AWS service — scoped by the IAM role's permissions
Access is limited by the IAM role assumed via STS. Configure the role's IAM policies to control what agents can do in your AWS account.
Credential handling#
- No long-lived credentials — STS generates temporary session credentials per request
- Session tags for attribution: agent name, org, project, connection name
- CloudTrail integration — every API call is traceable to the specific agent that made it
- Credentials never in the sandbox — resolved at the platform level, injected via proxy
Audit#
Every AWS API call is recorded in the Lens Agents audit trail:
- AWS service and API call
- Agent identity
- Session tags
- Result
Additionally, CloudTrail records the same calls with the session tags — giving you attribution in both Lens Agents and AWS native audit.
Related#
- Connections overview — all connection types
- Kubernetes — connecting K8s clusters
- Credential bindings — how credentials work
- Policies — controlling AWS access per team