Forward Networks builds a precise, vendor-neutral model of your cloud network — but first, it needs secure, read-only access into your accounts. While the documentation covers the how, this post walks through the why, with practical, real-world onboarding tips for AWS and Azure.
AWS: IAM Roles, Organizations, and Best Practices
Forward connects to your AWS environment using an assume-role model, which is the AWS-recommended way to grant access across accounts without long-term credentials.
Trusting Forward’s AWS Account
In SaaS deployments, you’ll create an IAM role in your AWS account that trusts Forward’s AWS account (453418124061). This trust relationship lets Forward temporarily “assume” the role to collect data — but only if it provides a valid ExternalId.
The External ID is a unique string in the format Org:XXXX, found in the AWS Cloud Setup Wizard in the Forward SaaS UI. It ensures only Forward can use the role — protecting you against confused deputy attacks.
Example Trust Policy
{
"Version": "2012-10-17",
"Statement": <
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::453418124061:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "Org:XXXX"
}
}
}
]
}
Permissions Policy
The permissions required for Forward to model your AWS environment are available directly in the platform at:
/api/cloud/aws-policy
{
"Version": "2012-10-17",
"Statement": ,
{
"Effect": "Allow",
"Action": <
"directconnect:Describe*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Search*",
"elasticloadbalancing:Describe*",
"globalaccelerator:List*",
"network-firewall:Describe*",
"network-firewall:List*",
"organizations:Describe*",
"workspaces:Describe*"
],
"Resource": "*"
}
]
}
This includes safe, read-only access to:
- VPCs, subnets, ENIs
- Transit Gateway & Direct Connect
- ELBs, Network Firewall
- Route tables, security groups, and more
These permissions enable deep modeling and analysis without risking config changes
Automate Multi-Account Setup with AWS Organizations
Forward supports onboarding hundreds of accounts via AWS Organizations.
Use the open-source tool aws-sync to:
- Discover member accounts from your AWS Organization
- Automatically create or update the Forward IAM role
- Detect drift and support GitOps workflows
If you’re managing more than a few accounts, this tool pays off immediately.
Self-Managed Collectors: Use Instance Profiles
If you’re running a Forward collector or VM inside AWS, you can skip role delegation and instead use the instance profile attached to the collector VM. This approach is ideal for:
- Private environments
- GovCloud regions
- Air-gapped deployments
Interested in this setup? Contact Forward Support or your account team for help enabling and configuring instance profile access.
Static IAM User Support (Not Recommended)
Forward also supports using a static IAM user and access keys, but this method:
- Requires managing long-term credentials
- Can’t leverage role chaining or external ID protections
- Is harder to rotate and audit at scale
We recommend assume-role or instance profiles wherever possible for security and operational simplicity.
Azure: Entra ID, Subscriptions, and Inherited Access
Azure is structured around Microsoft Entra ID (formerly Azure AD). Forward connects using a service principal you register and authorizes access at the subscription level.
Required Permissions
The service principal must be granted a custom role with:
{
"properties": {
"roleName": "Forward_ReadOnlyAccess",
"description": "",
"assignableScopes": "],
"permissions": e
{
"actions": >
"*/read",
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"microsoft.network/virtualnetworkgateways/getbgppeerstatus/action",
"microsoft.network/virtualnetworkgateways/getlearnedroutes/action",
"microsoft.network/virtualhubs/effectiveRoutes/action"
],
"notActions": ],
"dataActions": ],
"notDataActions": ,]
}
]
}
}
These “effective” permissions are what allow Forward to model actual behavior, not just declared intent. While you can assign the built-in Contributor role, it grants far more permissions than necessary — including write access — and is not recommended for security-conscious environments.
To create a custom role with only the required permissions, your organization must have a Microsoft Entra P1 or P2 (formerly Azure AD Premium) license.
Assign Role at Subscription or Management Group
You can assign this role directly at each subscription, or — ideally — assign it at a management group level, allowing permissions to inherit automatically. Forward will discover all subscriptions in scope via this inheritance.
Summary
| Feature | AWS | Azure |
|---|---|---|
| Auth Model | IAM Role (assume-role) | Service Principal |
| Trust Target | Forward Account ID 453418124061 | Your Entra Tenant |
| Permissions | /api/cloud/aws-policy | Custom role with "effective" reads |
| Multi-Account? | Use aws-sync | Use Management Groups |
| Alt Methods | Instance Profile, Static IAM (not preferred) | Scoped role assignment |
Final Tips
- Use the SaaS wizard to find your Org:XXXX External ID
- Automate IAM setup with aws-sync for scale
- Use instance profiles for air-gapped or internal AWS deployments
- Avoid static IAM users unless absolutely necessary
- In Azure, leverage management group inheritance for simplicity
Getting access right the first time makes everything else — path search, intent checks, security analysis — work as expected. Questions? Ask a question below or contact Forward support.
