This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.
In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:
Empty array [] = All available AWS services are enabled for discovery
Populated array = Only the listed services are enabled; all others are disabled
To disable specific services, you must populate the array with only the services you want to monitor.
Before you update AWS provider services, ensure:
You have API access credentials for your Veza instance (see Authentication for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)
You have appropriate permissions to modify provider configurations
You understand that empty services arrays mean ALL services are enabled
First, retrieve all AWS provider configurations to understand your current setup:
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws"Understanding the response:
Providers with empty services: [] arrays have ALL services enabled
Providers with populated services arrays only extract the listed services
Note the id, name, and account_id fields for providers you want to modify
Example response structure:
{
"values": [
{
"id": "12345678-1234-5678-9012-123456789012",
"name": "Production AWS Account",
"account_id": "123456789012",
"services": [],
"state": "ENABLED"
},
{
"id": "87654321-4321-8765-2109-876543210987",
"name": "Development AWS Account",
"account_id": "987654321098",
"services": ["S3", "RDS_POSTGRES", "LAMBDA"],
"state": "ENABLED"
}
]
}Identify which providers to modify based on:
Provider names that match your AWS accounts
Account IDs that correspond to your AWS accounts
Current services configuration
Determine your desired services configuration:
Option A: Disable DATABRICKS only
{
"services": [
"REDSHIFT", "REDSHIFT_CLUSTER", "S3", "RDS_POSTGRES", "RDS_MYSQL",
"RDS_ORACLE", "RDS", "DYNAMODB", "KMS", "EMR", "ORGANIZATIONS",
"EC2", "SSO", "COGNITO", "LAMBDA", "EKS", "SECRETS_MANAGER",
"ECR", "AWS_IAM"
]
}Option B: Enable only specific services
{
"services": [
"S3", "RDS_POSTGRES", "LAMBDA", "EC2", "AWS_IAM"
]
}Option C: Custom configuration
Review the available services list below
Create your own array with desired services
Before updating all providers, test with one provider first:
# Replace with your actual provider ID and desired services
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"services":["S3","RDS_POSTGRES","LAMBDA","EC2","AWS_IAM"]}' \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"Verify the change:
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"Check that the response shows your desired services array.
Update each provider individually using their specific IDs:
# Example for multiple providers - replace with your actual IDs and services
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'
# Provider 1
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_1"
# Provider 2
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_2"Create a script for bulk updates. Use with caution as this affects all AWS providers:
#!/bin/bash
# Configuration - CUSTOMIZE THESE VALUES
VEZA_URL="https://yourcompany.cookiecloud.ai"
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'
echo "Starting bulk AWS provider services update..."
echo "Target services: $DESIRED_SERVICES"
echo ""
# Get all AWS provider IDs
provider_ids=$(curl -s -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws" | \
jq -r '.values[].id')
if [ -z "$provider_ids" ]; then
echo "Error: No AWS providers found or API call failed"
exit 1
fi
# Count providers
provider_count=$(echo "$provider_ids" | wc -l)
echo "Found $provider_count AWS providers to update"
echo ""
# Add confirmation prompt
read -p "Continue with bulk update? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo "Update cancelled"
exit 0
fi
# Update each provider
echo "$provider_ids" | while read provider_id; do
if [ -n "$provider_id" ]; then
echo "Updating provider: $provider_id"
response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$DESIRED_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/$provider_id")
http_status=$(echo "$response" | grep "HTTP_STATUS" | cut -d: -f2)
if [ "$http_status" = "200" ]; then
echo "✓ Successfully updated provider $provider_id"
else
echo "✗ Failed to update provider $provider_id (HTTP $http_status)"
echo "Response: $(echo "$response" | grep -v "HTTP_STATUS")"
fi
echo ""
fi
done
echo "Bulk update completed"After updating providers, verify the changes took effect:
# Check all providers
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws" | \
jq '.values[] | {id: .id, name: .name, services: .services}'
# Check specific provider
curl -H "Authorization: Bearer $VEZA_TOKEN" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID" | \
jq '{id: .id, name: .name, services: .services}'To return a provider to monitoring all services:
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"services":[]}' \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"To change which services are monitored:
# Example: Enable different set of services
NEW_SERVICES='["S3","LAMBDA","DYNAMODB","EC2"]'
curl -X PATCH \
-H "Authorization: Bearer $VEZA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"services\":$NEW_SERVICES}" \
"$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"The following AWS services can be included in the services array:
S3 - Simple Storage Service
RDS_POSTGRES - PostgreSQL databases
RDS_MYSQL - MySQL databases
RDS_ORACLE - Oracle databases
RDS - General RDS service
DYNAMODB - DynamoDB NoSQL database
REDSHIFT - Redshift data warehouse
REDSHIFT_CLUSTER - Redshift cluster management
EC2 - Elastic Compute Cloud (virtual machines)
LAMBDA - Serverless functions
EKS - Elastic Kubernetes Service
ECR - Elastic Container Registry
EMR - Elastic MapReduce (big data)
AWS_IAM - Identity and Access Management
KMS - Key Management Service
SECRETS_MANAGER - AWS Secrets Manager
COGNITO - User authentication service
SSO - AWS Single Sign-On
ORGANIZATIONS - AWS Organizations
DATABRICKS - Analytics platform
Important notes:
Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers