IAM Role Authentication Method

The IAM Role authentication method is the default and recommended option for running Lucidity Assessment on AWS. This method ensures that the app has the required permissions to securely access your AWS resources without storing any credentials.

Step 1: Input Company Name or Workload Identifier

Enter your Company Name or a meaningful Identifier representing the workload or environment under assessment (for example: Finance-Prod, ECommerce-West).

This helps Lucidity organize and tag your assessment data for reporting.

Step 3: Choose AWS Regions

Select the AWS Regions where your EC2 workloads are deployed.

You can either:

• Select All Regions for full coverage, or

• Choose specific regions such as us-east-1, ap-south-1, etc., where your instances reside.

  

Note

For accurate insights, select All Regions that ensure Lucidity Assessment analysis and all EC2 instances may exist.

Step 4: Specify AWS Accounts for Assessment

Choose the AWS Accounts you want to include in the assessment.

1. Single Account Assessment

   • Enter a single AWS Account ID

     Recommended only for testing or proof-of-concept runs.

     

   • Download CloudFormation Template

     The next step is to deploy the required IAM Role using an AWS CloudFormation Template (CFT). The specific template to download depends on your chosen Permission Mode.

     

   • Deploy CloudFormation Template

     Use the downloaded CloudFormation Template to create the IAM Role across your AWS accounts. You can deploy it through either the AWS Console.

     Using AWS Console,

     1. Sign in to your AWS Console on target account.

     2. Navigate to CloudFormation → Stacks

     3. Click Create Stack → With new resources (standard)

        

     4. Choose “Upload a template file” and upload the template file downloaded earlier. Click Next.

        

     5. Provide a stack name and Click Next.

        

     6. As template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. Click Next.

        

     7. Review and Create Stack.

     8. Once Stack is created successfully, proceed to the Assessment App to acknowledge Stack Executed Successfully and Initiate Assessment.

        

2. Multiple Account Assessment

   • Enter comma-separated AWS Account IDs to run the assessment across multiple accounts.

     Note

     Include your top 10 highest-spend accounts, or those contributing to ~80% of your cloud costs, for a comprehensive optimization view.

     

   • Input AWS Organizations Root ID

     Lucidity uses AWS StackSets to create IAM roles across accounts in your organization. To enable this, provide your AWS Organizations Root ID. To find your Root ID:

     • Sign in to your AWS Console.

     • Navigate to AWS Organizations → AWS Accounts

     • Copy the Root ID displayed there.

       

       Paste the Root ID into the Lucidity Assessment App.

       

     • Enable Trusted Access

       Ensure Trusted Access is enabled in AWS Organizations for StackSets. This allows the Lucidity Assessment App to deploy IAM roles securely across multiple accounts.

       To enable follow AWS’s official guide: Activate Trusted Access

       After enabling, return to the Lucidity Assessment App and check the box to acknowledge Trusted Access is active

       

     • Download the CloudFormation Template

       Once Trusted Access is enabled, the next step is to deploy the required IAM Role using an AWS CloudFormation Template (CFT). The specific template to download depends on your chosen Permission Mode.

       

   • Deploy CloudFormation Template

     Use the downloaded CloudFormation Template to create the IAM Role across your AWS accounts. You can deploy it through either the AWS Console.

     Using AWS Console

     1. Sign in to your AWS Console from Root Account or AWS Delegated Administrator Management Account.

     2. Navigate to CloudFormation → StackSets

        

     3. Click on Create Stackset

        

     4. Choose Permissions as Service-Managed Permissions or reach out to your AWS Admin.

        

     5. Upload the downloaded Lucidity CFT file and Click Next.

        

     6. On the Specify StackSet details page, provide a name for the StackSet, specify any parameters, and then choose Next.

        

     7. For Execution configuration, choose Active to enable CloudFormation's optimized operation handling or leave default.

     8. As template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. Choose Next to proceed and to activate trusted access if not already activated.

        

     9. StackSets can be deployed into accounts or all accounts in an organizational unit.

        1. If the stack is downloaded from the Assessment App choose Deploy stacks in OU and input Root ID.

           

        2. Choose Deploy Stacks in Account and input Account IDs if stack is downloaded from the website.

           

     10. Next Specify Single Region, it can be the same or different from the region where stackset is being launched.

         

         Note

         IAM is a global service, meaning IAM roles exist globally within an AWS account, not per region. When you deploy this template via StackSets to multiple regions within the same account, the first region will successfully create the role, but subsequent regions will fail with an "IAM role already exists" error because the role was already created globally.

     11. Leave Deployment Options as default and click Next.

     12. On the Review page, verify that your StackSet will deploy to the correct accounts in the correct Regions, and then choose Create StackSet.

     13. The StackSet details page opens. You can view the progress and status of the creation of the stacks in your StackSet. Once Stackset is created successfully, proceed to Assessment App to acknowledge launch and initiate Assessment.

         

Step 5: Upload Assessment Results to Lucidity [Optional]

For Desktop Application Based Assessment, you might choose not to share Metadata at time of initiating assessment. If so, you can Zip  the content of folder Lucidity_Assessment where Assessment App was initiated and shared with Lucidity over mail or through Lucidity Dashboard by Clicking Upload Assessment on the Lucidity Assessment Dashboard.