IAM & Security
How the External Tool Agent is secured at the infrastructure level.
Zero Trust by Design
Every organization gets its own isolated AWS resources — dedicated SQS queues, a dedicated S3 bucket, and a dedicated IAM user. There is no shared infrastructure between organizations.
| Resource | Isolation |
|---|---|
| SQS Work Queue | One per organization |
| SQS Completion Queue | One per organization |
| S3 Bucket | One per organization |
| IAM Credentials | One per organization |
What the Credentials Can Do
The IAM credentials in your config.yaml are scoped to your organization only:
- Read messages from your work queue
- Send messages to your completion queue
- Read/write files in your S3 bucket
They cannot:
- Access another organization's queues or buckets
- Modify queue or bucket configuration
- Access any NINA internal resources
Nothing to Configure
IAM credentials and permissions are provisioned automatically when you create an External Tool Node in NINA. The config.yaml you receive already contains everything needed. No IAM setup on your side.
If you see AccessDenied errors, verify that your config.yaml is the latest version from NINA provisioning.
Next Steps
- Create custom tools - Build your security tools
- Troubleshooting - Fix common issues