AWS Multiple Account Automation
For organizations managing multiple AWS accounts under AWS Organizations, SailPoint Entro provides a scalable method to onboard and maintain integrations automatically. This ensures consistent visibility and secret management across all member accounts without manual setup in each environment.
Overview
The Multiple Account Automation feature allows administrators to deploy the SailPoint Entro AWS integration across multiple linked accounts using:
-
AWS CloudFormation StackSets
-
Terraform (Infrastructure-as-Code)
Both methods create the required cross-account IAM Roles and SailPoint Entro policies automatically, eliminating the need to repeat manual onboarding in each account.
Architecture Diagram
Entro Security Cloud
↕ (HTTPS/TLS)
Management AWS Account (Root)
├── StackSet deployment → Member Account A
├── StackSet deployment → Member Account B
└── StackSet deployment → Member Account C
Each member account runs a read-only IAM Role (EntroAWSIntegrationRole) provisioned automatically through StackSets or delegated administrator permissions.
Prerequisites
- AWS Organizations is enabled and configured.
- You have management account or delegated admin privileges with permission to deploy organization-wide resources.
- One of the following automation options is available in your environment:
- CloudFormation StackSets (recommended)
- Terraform with permissions to create IAM roles and policies across member accounts.
- SailPoint Entro permissions (EntroReadOnlyAccess policy) are included in the deployment template or Terraform module.
- All linked accounts have outbound HTTPS/TLS connectivity to SailPoint Entro’s API endpoints.
Setup Steps
Complete the following:
-
Select the Root or Delegated Management Account
Launch the integration from your AWS Management Account in SailPoint Entro. SailPoint Entro will automatically detect all child accounts under the AWS Organization.
-
Choose Deployment Method
You can onboard all member accounts using either:
-
Option A: CloudFormation StackSet (recommended)
-
Option B: Terraform (for IaC-managed environments)
-
-
Deploy the StackSet
Option A - CloudFormation StackSet
-
In the AWS console proceed to CloudFormation.
-
In the burger menu on the left, select Stacksets.
-
Select Service-managed permissions, Template is ready, and then upload the file below.
-
Download or copy the prebuilt CloudFormation template (
entro-aws-multi-account.json). -
Enter a StackSet name, for example
EntroStackset. -
Enter the provided ExternalID, Remote Agent and SNSTopic from SailPoint Entro.
-
Select Next.
-
At the bottom, select I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then select Next.
-
Under Specify Regions, select US East 1, select Next, and submit.
Option B - Terraform
-
Copy the Terraform module provided in this guide under
entro-aws-multi-account.json. -
Define the required variables (
external_id,remote_agent, and optionalsns_topic_arn_suffix). -
Apply the module from your Terraform pipeline or management workspace.
-
-
Role and Policy Deployment
The deployment (StackSet or Terraform) automatically creates the integration roles in each account:
-
Role Name:
EntroAWSIntegrationRole -
Policy Name:
EntroReadOnlyAccess
These roles are assumed by SailPoint Entro’s AWS Account using a secure external ID and trust policy configured during deployment.
-
-
Verify Integration
-
Return to SailPoint Entro → Integrations → AWS.
-
All child accounts appear automatically under the parent integration.
-
Verify account sync status = Active for each linked account.
-
Option a - CloudFormation StackSet Template Reference
Option B - Terraform (Infrastructure-as-Code) Template Reference
Please note the external_id and remote_agent variables, which will be provided by the SailPoint Entro team.
Troubleshooting
StackSet deployment fails
Cause:
- Missing permissions in target accounts
Resolution:
- Verify delegated admin permissions and StackSet IAM execution role
Accounts not appearing in SailPoint Entro
Cause:
- Trust policy mismatch
Resolution:
- Ensure each IAM Role trusts SailPoint Entro’s AWS Account ID
Partial sync
Cause:
- Network egress blocked
Resolution:
- Allow HTTPS/TLS to SailPoint Entro’s API endpoints