Skip to content

Amazon Web Services

SailPoint Entro integrates natively with Amazon Web Services (AWS) to continuously discover, monitor, and secure secrets, tokens, and Non-Human Identities (NHIs) across your organization’s AWS environments. This integration supports both CloudFormation and Assume Role authentication methods to ensure secure, least-privilege access for all connected accounts.


Capabilities

  • Continuous discovery of secrets in AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store

  • Monitoring of IAM users, roles, and service accounts for credential exposure and misconfiguration

  • Correlation of NHIs with workloads such as Lambda, ECS, and EKS functions

  • Detection of leaked AWS access keys across connected repositories and SaaS integrations

  • Centralized visibility of all AWS NHIs within SailPoint Entro’s unified inventory

  • Optional integration with AWS CloudTrail for enriched event and audit insights


Supported AWS Services

Service Description
AWS Secrets Manager Scans stored secrets, tokens, and API keys for exposure
AWS Systems Manager (SSM) Scans Parameter Store for plaintext or misconfigured parameters
AWS Identity and Access Management (IAM) Monitors users, roles, and service accounts for NHI tracking
AWS Key Management Service (KMS) Maps encryption keys, aliases, and access metadata
AWS Lambda / ECS / EKS Correlates workload-linked NHIs and service tokens
AWS CloudTrail Provides visibility into key creation, secret access, and audit logs
AWS Bedrock and Agent Core Discover AI Agents and their connected services

Security Principles

SailPoint Entro integrates with AWS using least-privilege, read-only access. Permissions are restricted to discovery-level actions only, with no ability to modify or create resources in your AWS environment. All communications between SailPoint Entro and AWS are secured over HTTPS/TLS and authenticated with either an IAM role assumption or an AWS CloudFormation-provisioned role.


Architecture Diagram

Diagram Placeholder:

Entro Security Cloud
   ↕ (HTTPS/TLS)
AWS Account
   ├── IAM (Users, Roles, NHIs)
   ├── Secrets Manager
   ├── Systems Manager Parameter Store
   ├── Key Management Service (KMS)
   └── CloudTrail Logs (Optional)

Prerequisites

Before integrating, ensure that:

  1. You have AWS Administrator or IAM Full Access privileges to create roles and policies.

  2. You know your SailPoint Entro AWS Account ID (displayed in the setup wizard).

  3. Outbound HTTPS access to api.entro.security is allowed from your environment.


Integration Options

Method Description
CloudFormation (Recommended) Automatically deploys SailPoint Entro’s IAM Role and Policy via an AWS CloudFormation stack
Assume Role Manual configuration using IAM Role and trust relationship with SailPoint Entro’s AWS account

Data Processed

SailPoint Entro retrieves only metadata and secret identifiers - never plaintext secret values. Sensitive data remains stored securely in your AWS account; SailPoint Entro analyzes metadata, context, and policy configurations for exposure risk and correlation.


Compliance and Privacy

All AWS connections adhere to SailPoint Entro’s internal compliance standards:

  • No data persistence of secret content

  • SOC 2 Type II and ISO 27001 aligned processing

  • Encrypted data in transit and at rest

  • Audit-ready access logs for every secret discovery and sync event