Skip to content

AWS Manual Onboarding

If your organization restricts CloudFormation deployments, you can connect SailPoint Entro to AWS manually using an IAM Role Assume configuration. This process involves creating a custom IAM Policy and Role, establishing a trust relationship with SailPoint Entro’s AWS Account, and linking the Role ARN in the SailPoint Entro Dashboard.


Management → Accounts & Integrations → Add New Account (top right) → AWS


Overview

Manual onboarding gives you complete control over permissions and policies while still providing SailPoint Entro with read-only access. The process consists of three primary steps:

  • Create IAM Policy – Define least-privilege read-only access for secrets and NHIs.

  • Create IAM Role – Establish a trusted relationship with SailPoint Entro’s AWS Account.

  • Connect Role to SailPoint Entro – Paste the Role ARN into SailPoint Entro’s setup wizard.


Architecture Diagram

Entro Security Cloud
   ↕ (Assume Role)
AWS Account
   ├── IAM Policy (EntroReadOnlyAccess)
   ├── IAM Role (EntroAWSIntegrationRole)
   └── Secrets Manager / SSM / KMS

Prerequisites

  • IAM administrative privileges in the AWS account.

  • SailPoint Entro AWS Account ID and External ID (displayed in the SailPoint Entro setup wizard).

  • Outbound connectivity to api.entro.security.

  • Optional: Access to CloudTrail S3 bucket if audit log correlation is desired.


Complete the following:

  1. Create IAM Policy

    To grant SailPoint Entro limited, read-only visibility into your AWS environment, create a policy named EntroReadOnlyAccess.

    Follow detailed instructions in: IAM Policy Creation Steps →

  2. Create IAM Role

    Create a role named EntroAWSIntegrationRole that allows SailPoint Entro’s AWS Account to assume it using the external ID provided in the wizard.

    Full instructions: IAM Role Creation Steps →

  3. Link the Role to SailPoint Entro

    After creating the Role, copy its Role ARN from AWS IAM and paste it into SailPoint Entro’s Assume Role setup.

    Detailed guide: Assume Role Link to SailPoint Entro →


(Optional) Connect CloudTrail Logs

If you want SailPoint Entro to correlate secret events with AWS CloudTrail, follow: AWS CloudTrail S3 Setup →


Validation Checklist

Check Description
IAM Policy created EntroReadOnlyAccess exists in IAM
IAM Role created EntroAWSIntegrationRole visible under IAM Roles
Role trust policy configured SailPoint Entro AWS Account ID and external ID correctly applied
Role linked in SailPoint Entro Account shows as Active in AWS Integrations
Optional CloudTrail connected Verified under Integration Summary

Troubleshooting

Issue Cause Resolution
Role not assumable Trust policy missing SailPoint Entro principal Update trust policy JSON
Secrets not detected Missing Secrets Manager permission Reattach read-only policy
Account not appearing in SailPoint Entro Incorrect Role ARN Re-enter ARN from AWS IAM console