AWS Onboarding Steps
The AWS Onboarding process connects your AWS environment to SailPoint Entro for continuous discovery and monitoring of secrets, tokens, and Non-Human Identities (NHIs). You can onboard AWS accounts automatically using CloudFormation or manually using IAM Role Assume configuration.
Overview
SailPoint Entro offers two secure onboarding options for AWS:
| Method | Description | Recommended For |
|---|---|---|
| Automatic (CloudFormation) | Deploys a read-only IAM Role and Policy in AWS using a CloudFormation stack. | Most environments and standard single-account setups |
| Manual (Assume Role) | Manually create an IAM Role, attach SailPoint Entro's read-only policy, and link the Role ARN in SailPoint Entro. | Restricted environments or custom IAM management policies |
Both options enable SailPoint Entro to continuously monitor secrets across AWS Secrets Manager, Parameter Store, and related NHIs - without granting write privileges or administrative control.
Prerequisites
Before starting the onboarding process, ensure the following:
-
You have Administrator Access or sufficient permissions to create IAM Roles and Policies.
-
You can log into the target AWS Account via the AWS Management Console.
-
You have your SailPoint Entro AWS Account ID and External ID (available in the SailPoint Entro setup wizard).
-
Outbound HTTPS connectivity is enabled to
api.entro.security. -
Your network/firewall allows traffic to AWS and SailPoint Entro endpoints.
Onboarding Flow
Entro Security Dashboard
↓
Select AWS Integration
↓
Choose Setup Type (CloudFormation or Assume Role)
↓
Create IAM Policy and Role
↓
Entro assumes the AWS Role
↓
Secrets and NHIs sync into Entro Dashboard
-
Choose Onboarding Method
When adding a new AWS account, SailPoint Entro will prompt you to choose between:
-
Automatic Setup (CloudFormation) – the recommended path for fast and secure deployment.
-
Manual Setup (Assume Role) – for environments that prohibit CloudFormation stack deployment.
-
-
Deploy or Create IAM Role
Depending on the selected method:
-
Automatic: Launch SailPoint Entro’s CloudFormation stack directly from the SailPoint Entro Dashboard.
-
Manual: Follow the steps in AWS Manual Onboarding to create an IAM Policy and Role manually.
-
-
Verify Account Connection
Once the setup is complete:
-
Navigate to Integrations → AWS in SailPoint Entro.
-
Confirm that your AWS account appears as Active.
-
Check the sync logs to verify that NHIs and secrets are being ingested.
-
-
(Optional) Configure CloudTrail S3 Integration
You can optionally enhance visibility by connecting AWS CloudTrail logs. This allows SailPoint Entro to correlate secret activity with CloudTrail events and detect anomalous credential usage.
Follow the guide at: CloudTrail S3 Setup →
-
Multi-Account Automation
For organizations using multiple AWS accounts under an AWS Organization, SailPoint Entro supports multi-account automation. This enables scalable onboarding using AWS StackSets or organizational IAM roles.
Refer to: AWS Multiple Account Automation →
Note
Optional: Connecting CloudTrail S3 provides enhanced correlation between secret access/use and CloudTrail events, improving detection of anomalous credential behavior.
Validation Checklist
| Check | Description |
|---|---|
| Account listed as Active | Visible under Integrations → AWS |
| Secrets detected | Found under Inventory → Secrets |
| NHIs discovered | Found under Inventory → NHIs |
| Optional CloudTrail connected | Verified in integration summary |