Amazon Web Services
SailPoint Entro integrates natively with Amazon Web Services (AWS) to continuously discover, monitor, and secure secrets, tokens, and Non-Human Identities (NHIs) across your organization’s AWS environments. This integration supports both CloudFormation and Assume Role authentication methods to ensure secure, least-privilege access for all connected accounts.
Capabilities
-
Continuous discovery of secrets in AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store
-
Monitoring of IAM users, roles, and service accounts for credential exposure and misconfiguration
-
Correlation of NHIs with workloads such as Lambda, ECS, and EKS functions
-
Detection of leaked AWS access keys across connected repositories and SaaS integrations
-
Centralized visibility of all AWS NHIs within SailPoint Entro’s unified inventory
-
Optional integration with AWS CloudTrail for enriched event and audit insights
Supported AWS Services
| Service | Description |
|---|---|
| AWS Secrets Manager | Scans stored secrets, tokens, and API keys for exposure |
| AWS Systems Manager (SSM) | Scans Parameter Store for plaintext or misconfigured parameters |
| AWS Identity and Access Management (IAM) | Monitors users, roles, and service accounts for NHI tracking |
| AWS Key Management Service (KMS) | Maps encryption keys, aliases, and access metadata |
| AWS Lambda / ECS / EKS | Correlates workload-linked NHIs and service tokens |
| AWS CloudTrail | Provides visibility into key creation, secret access, and audit logs |
| AWS Bedrock and Agent Core | Discover AI Agents and their connected services |
Security Principles
SailPoint Entro integrates with AWS using least-privilege, read-only access. Permissions are restricted to discovery-level actions only, with no ability to modify or create resources in your AWS environment. All communications between SailPoint Entro and AWS are secured over HTTPS/TLS and authenticated with either an IAM role assumption or an AWS CloudFormation-provisioned role.
Architecture Diagram
Diagram Placeholder:
Entro Security Cloud
↕ (HTTPS/TLS)
AWS Account
├── IAM (Users, Roles, NHIs)
├── Secrets Manager
├── Systems Manager Parameter Store
├── Key Management Service (KMS)
└── CloudTrail Logs (Optional)
Prerequisites
Before integrating, ensure that:
-
You have AWS Administrator or IAM Full Access privileges to create roles and policies.
-
You know your SailPoint Entro AWS Account ID (displayed in the setup wizard).
-
Outbound HTTPS access to
api.entro.securityis allowed from your environment.
Integration Options
| Method | Description |
|---|---|
| CloudFormation (Recommended) | Automatically deploys SailPoint Entro’s IAM Role and Policy via an AWS CloudFormation stack |
| Assume Role | Manual configuration using IAM Role and trust relationship with SailPoint Entro’s AWS account |
Data Processed
SailPoint Entro retrieves only metadata and secret identifiers - never plaintext secret values. Sensitive data remains stored securely in your AWS account; SailPoint Entro analyzes metadata, context, and policy configurations for exposure risk and correlation.
Compliance and Privacy
All AWS connections adhere to SailPoint Entro’s internal compliance standards:
-
No data persistence of secret content
-
SOC 2 Type II and ISO 27001 aligned processing
-
Encrypted data in transit and at rest
-
Audit-ready access logs for every secret discovery and sync event