Skip to content

AWS Onboarding Steps

The AWS Onboarding process connects your AWS environment to SailPoint Entro for continuous discovery and monitoring of secrets, tokens, and Non-Human Identities (NHIs). You can onboard AWS accounts automatically using CloudFormation or manually using IAM Role Assume configuration.


Overview

SailPoint Entro offers two secure onboarding options for AWS:

Method Description Recommended For
Automatic (CloudFormation) Deploys a read-only IAM Role and Policy in AWS using a CloudFormation stack. Most environments and standard single-account setups
Manual (Assume Role) Manually create an IAM Role, attach SailPoint Entro's read-only policy, and link the Role ARN in SailPoint Entro. Restricted environments or custom IAM management policies

Both options enable SailPoint Entro to continuously monitor secrets across AWS Secrets Manager, Parameter Store, and related NHIs - without granting write privileges or administrative control.


Prerequisites

Before starting the onboarding process, ensure the following:

  • You have Administrator Access or sufficient permissions to create IAM Roles and Policies.

  • You can log into the target AWS Account via the AWS Management Console.

  • You have your SailPoint Entro AWS Account ID and External ID (available in the SailPoint Entro setup wizard).

  • Outbound HTTPS connectivity is enabled to api.entro.security.

  • Your network/firewall allows traffic to AWS and SailPoint Entro endpoints.


Onboarding Flow

Entro Security Dashboard
Select AWS Integration
Choose Setup Type (CloudFormation or Assume Role)
Create IAM Policy and Role
Entro assumes the AWS Role
Secrets and NHIs sync into Entro Dashboard

  1. Choose Onboarding Method

    When adding a new AWS account, SailPoint Entro will prompt you to choose between:

    • Automatic Setup (CloudFormation) – the recommended path for fast and secure deployment.

    • Manual Setup (Assume Role) – for environments that prohibit CloudFormation stack deployment.

  2. Deploy or Create IAM Role

    Depending on the selected method:

    • Automatic: Launch SailPoint Entro’s CloudFormation stack directly from the SailPoint Entro Dashboard.

    • Manual: Follow the steps in AWS Manual Onboarding to create an IAM Policy and Role manually.

  3. Verify Account Connection

    Once the setup is complete:

    1. Navigate to Integrations → AWS in SailPoint Entro.

    2. Confirm that your AWS account appears as Active.

    3. Check the sync logs to verify that NHIs and secrets are being ingested.

  4. (Optional) Configure CloudTrail S3 Integration

    You can optionally enhance visibility by connecting AWS CloudTrail logs. This allows SailPoint Entro to correlate secret activity with CloudTrail events and detect anomalous credential usage.

    Follow the guide at: CloudTrail S3 Setup →

  5. Multi-Account Automation

    For organizations using multiple AWS accounts under an AWS Organization, SailPoint Entro supports multi-account automation. This enables scalable onboarding using AWS StackSets or organizational IAM roles.

    Refer to: AWS Multiple Account Automation →


    Note

    Optional: Connecting CloudTrail S3 provides enhanced correlation between secret access/use and CloudTrail events, improving detection of anomalous credential behavior.


Validation Checklist

Check Description
Account listed as Active Visible under Integrations → AWS
Secrets detected Found under Inventory → Secrets
NHIs discovered Found under Inventory → NHIs
Optional CloudTrail connected Verified in integration summary