> ## Documentation Index > Fetch the complete documentation index at: https://docs.twill.ai/llms.txt > Use this file to discover all available pages before exploring further. # Amazon Web Services > Connect AWS to give agents read-only access to your cloud resources ## Setup Make sure your GitHub App is connected and your connected repos are accessible. See the [Quickstart](/quickstart). 1. Go to **Settings → Integrations → Amazon Web Services** and click **Connect** 2. A CloudFormation quick-create page opens in a new tab — review the stack and click **Create stack** 3. Wait for the stack to finish creating (\~30 seconds), then copy the **Role ARN** from the **Outputs** tab 4. Paste the Role ARN back into Twill and click **Verify & Connect** Once connected, Twill can access your AWS resources in read-only mode when investigating issues or working on tasks. ## How It Works The AWS integration uses a cross-account IAM role with an external ID — the industry-standard pattern for granting third-party services secure, scoped access to your AWS account. When you connect, Twill creates a CloudFormation stack in your account that provisions an IAM role with: * The **ReadOnlyAccess** AWS managed policy (`List*`, `Describe*`, `Get*` across all services) * A trust policy that only allows Twill to assume the role using a unique external ID * No write, modify, or delete permissions When an agent runs, Twill calls `sts:AssumeRole` to obtain short-lived temporary credentials that are injected into the sandbox as standard AWS environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`). The AWS CLI and all AWS SDKs recognize these natively. ## Security * **No long-lived credentials**: Twill never stores AWS access keys. Temporary credentials are generated per agent run and expire after 1 hour. * **External ID**: Prevents confused deputy attacks — only Twill can assume the role using the unique external ID generated during setup. * **Customer control**: You own the IAM role in your account. You can modify its permissions, add conditions, or delete it at any time. * **Audit trail**: All `AssumeRole` calls appear in your AWS CloudTrail logs. ## Disconnect To disconnect AWS, go to **Settings → Integrations → Amazon Web Services** and click **Disconnect**. You can also delete the CloudFormation stack from your AWS account to remove the IAM role entirely.