> ## Documentation Index > Fetch the complete documentation index at: https://docs.envzero.com/llms.txt > Use this file to discover all available pages before exploring further. # Configure an AWS Cloud Account > Connect your AWS account to env zero Cloud Compass by granting the cloud-scanner IAM role access to your S3 CloudTrail bucket and optionally KMS decryption. ## Configure a Cloud Account Cloud Account configuration wizard for AWS showing the initial setup form

Cloud Account configuration wizard for AWS showing the initial setup form

Additional Costs for Using Cloud Compass with AWS There could be additional costs for enabling Cloud Compass with AWS that only comes from outbound S3 traffic. This refers to data transferred from S3 buckets to external destinations, which will be charged according to AWS's standard S3 outbound data transfer rates. ### Requirements #### Ensure Active Cloud Trail * Open the AWS Console and login to the relevant account * Go to CloudTrail and in the left hand side menu select `Trails` * Make sure the trail is in a Logging status AWS CloudTrail Trails list showing a trail in Logging status

AWS CloudTrail Trails list showing a trail in Logging status

#### Grant Bucket Permissions * Go to S3 Console and choose the relevant bucket based on the name of the S3 bucket in the Trails. You can also click on the bucket name from the previous image. * Choose permission tab S3 bucket details page with the Permissions tab selected for the CloudTrail log bucket

S3 bucket details page with the Permissions tab selected for the CloudTrail log bucket

* Go To Bucket Policy and click `Edit` * S3 bucket policy section with the Edit button to add the env zero read policy

Add the following policy to the list: ```json Policy theme={null} { "Sid": "AllowEnvZeroToReadCloudTrailEvents", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::913128560467:role/env0-cloud-scanner" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ``` * Replace the placeholder ``with the bucket name. * Click on the `Save Changes` button * Click on the edit button in the Object Ownership section S3 bucket Object Ownership section with the edit button to select ACLs disabled mode

S3 bucket Object Ownership section with the edit button to select ACLs disabled mode

* Select the `ACLs disabled (recommended)` option and click on the `Save Changes` button Object Ownership Mode We only able to read the cloud trails events when the Object Ownership in mode "ACLs disabled" S3 bucket Object Ownership set to ACLs disabled (recommended) option selected

S3 bucket Object Ownership set to ACLs disabled (recommended) option selected

#### Grant Decrypt Permission * This requirement is only necessary if encryption is enabled on the trail. * You can check if it is enabled by opening the trail and check if `Log file SSE-KMS encryption` is Enabled. AWS CloudTrail trail details showing Log file SSE-KMS encryption enabled status

AWS CloudTrail trail details showing Log file SSE-KMS encryption enabled status

* If it is enabled, you should grant permission to the env zero role to decrypt the logs. * Open the "KMS Key Policy" - by clicking on the key URL from the previous image. AWS KMS Key Policy page showing the Edit button to add decrypt permission for the env zero role

AWS KMS Key Policy page showing the Edit button to add decrypt permission for the env zero role

* Click Edit, and add this policy to the list: ```json Policy theme={null} { "Sid": "AllowEnv0ToDecryptTrailLogs", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::913128560467:role/env0-cloud-scanner" }, "Action": "kms:Decrypt", "Resource": "*" } ``` * Click `Save Changes` #### Setting Up Bucket Configuration Here you should specify account config including: * Account name (for identification only) * Bucket Name \[1] * Account ID \[1] * Prefix \[1] `(optional)` - this should match the prefix (if specified) when configuring the s3 bucket. See [AWS docs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/tutorial-trail.html#:~:text=To%20make%20it%20easier%20to%20find%20your%20logs%2C%20create%20a%20new%20folder%20\(also%20known%20as%20a%20prefix\)%20in%20an%20existing%20bucket%20to%20store%20your%20CloudTrail%20logs). * Regions \[1] These fields are used to build the `Scanned Bucket URL` which will be used to fetch your cloud events. Bucket configuration form with fields for Account name, Bucket Name, Account ID, Prefix, and Regions

Bucket configuration form with fields for Account name, Bucket Name, Account ID, Prefix, and Regions

Once you have created your account, env zero will start fetching historical data for the past 90 days. The Insights tab will show that a data fetching run has started. This process might take a few minutes, depending on the amount of events we need to ingest. Cloud Compass Insights tab showing a data fetching run in progress after account creation

Cloud Compass Insights tab showing a data fetching run in progress after account creation

Once the data is ready, you will be able to start exploring the dashboard insights. For more information about using the dashboard, click [here](/guides/cloud-compass/cloud-compass/#utilizing-the-cloud-compass-dashboard). env zero will now run on a daily basis to fetch new cloud activity, ensuring an accurate and up-to-date view of your cloud environment. ## Next steps * [Configure an Azure Cloud Account](/guides/cloud-compass/cloud-compass/configure-an-azure-cloud-account) - Connect an Azure subscription to Cloud Compass. * [Configure a GCP Cloud Account](/guides/cloud-compass/cloud-compass/configure-a-gcp-cloud-account) - Connect a GCP project to Cloud Compass. * [Link Environments to Cloud Compass](/guides/cloud-compass/cloud-compass/linking-environments-to-cloud-compass-resources) - Map environments to discovered cloud resources.