> ## Documentation Index
> Fetch the complete documentation index at: https://docs.twill.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon Web Services

> Read-only AWS access through a cross-account IAM role — no long-lived keys.

The AWS integration lets agents read your AWS resources, logs, and service metadata while debugging. Access is strictly read-only and uses a cross-account IAM role — Twill never stores AWS keys.

## Connect

<Steps>
  <Step title="Launch the CloudFormation stack">
    In **Settings → Integrations → Amazon Web Services**, click **Connect**.
    This opens a CloudFormation quick-create page in your AWS console. Click
    **Create stack** — it takes about 30 seconds.
  </Step>

  <Step title="Paste the Role ARN">
    Copy the **Role ARN** from the stack's Outputs tab, paste it back into
    Twill, and click **Verify & Connect**.
  </Step>
</Steps>

## How access works

* The role carries AWS's managed **ReadOnlyAccess** policy (`List*`, `Describe*`, `Get*`) — no write, modify, or delete permissions.
* Its trust policy is scoped to Twill's account plus a unique **external ID**, so only your workspace can assume it.
* At task time, Twill calls `sts:AssumeRole` and injects temporary credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`) into the sandbox. They expire after 1 hour.
* Every assumption shows up in your CloudTrail, so access is fully auditable.

## Disconnect

Disconnect in Twill's settings, then delete the CloudFormation stack in AWS to remove the role entirely.
