Skip to content

AWS Permissions Reference

This page outlines all AWS IAM permissions, roles, and policy structures that SailPoint Entro uses across its AWS integrations. It ensures transparency around access scopes, least-privilege compliance, and audit readiness for connected AWS environments.


Overview

Note

SailPoint Entro integrates with AWS through read-only IAM Roles. All actions are restricted to discovery and metadata access. No modification, deletion, or secret extraction occurs.

SailPoint Entro supports the following integration types:

  • CloudFormation - automatic setup for single accounts

  • Terraform - Infrastructure-as-Code deployment (alternative to CloudFormation)

  • StackSets (AWS Organizations) - multi-account automation from the management account


IAM Roles Used

Role Name Purpose Created By
EntroRoleAWS Primary role SailPoint Entro assumes to discover secrets and NHIs. CloudFormation or Manual setup
EntroReadOnlyAccess Attached policy providing minimal read permissions. Manual or automated setup
EntroMultiAccountRole Used during multi-account StackSets deployment. AWS Organizations automation

Base Read‑Only Policy (EntroReadOnlyAccess)

This is the core IAM policy used in both single-account and multi-account setups.

EntroReadOnlyAccess.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:ListSecrets",
        "secretsmanager:DescribeSecret",
        "kms:DescribeKey",
        "kms:ListAliases",
        "ec2:Describe*",
        "cloudtrail:LookupEvents",
        "lambda:GetFunction",
        "iam:List*",
        "rds:Describe*",
        "ssm:GetParameter",
        "ssm:DescribeParameters",
        "eks:ListClusters",
        "s3:GetObject",
        "s3:ListBucket"
        "bedrock-agentcore:List*",
        "bedrock-agentcore:Get*",
        "bedrock:List*",
        "bedrock:Get*",
      ],
      "Resource": "*"
    }
  ]
}

Optional Logging Permissions

These permissions are automatically included when SailPoint Entro detects CloudTrail or S3 log integrations. They enable secure, read-only access for audit correlation.

CloudTrailBucketPermissions.json

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::<cloudtrail-logs-bucket>",
    "arn:aws:s3:::<cloudtrail-logs-bucket>/*"
  ]
}

Zero Trust Permissions

ZeroTrust.json

{
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "iam:GetUserPolicy",
        "iam:PutUserPolicy",
        "iam:DeleteUserPolicy",
        "iam:GetLoginProfile"
    ],
    "Resource": "*"
}

Optional - Model Invocation Logging

In case you use Amazon Bedrock, it's recommended to enable the Model Invocation logs. This allows SailPoint Entro to identify and display the identity of each model invoker.

To set it up, follow the instructions in AWS docs to enable invocation logging and configure log delivery to Amazon S3.

Trust Relationship Template

SailPoint Entro assumes the AWS role using AWS STS and an external ID to prevent unauthorized access.

TrustRelationship.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ENTRO_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<ENTRO_EXTERNAL_ID>"
        }
      }
    }
  ]
}

CloudFormation Automation Permissions (StackSets)

When using AWS Organizations for automation, StackSets require additional permissions for delegated deployment.

StackSetsDelegationPermissions.json

{
  "Effect": "Allow",
  "Action": [
    "cloudformation:CreateStackInstances",
    "cloudformation:UpdateStackInstances",
    "cloudformation:DeleteStackInstances",
    "organizations:ListAccounts",
    "organizations:DescribeOrganization"
  ],
  "Resource": "*"
}

Terraform Automation Permissions (Optional)

When using Terraform for organization-wide deployment instead of CloudFormation, ensure the execution identity (user or CI/CD role) has the following permissions:

TerraformDelegationPermissions.json

{
  "Effect": "Allow",
  "Action": [
    "iam:CreateRole",
    "iam:PutRolePolicy",
    "iam:AttachRolePolicy",
    "lambda:CreateFunction",
    "lambda:InvokeFunction",
    "sns:Publish",
    "cloudformation:DescribeStacks"
  ],
  "Resource": "*"
}

Security and Compliance Summary

Category Description
Principle of Least Privilege SailPoint Entro’s AWS integrations only include discovery-level permissions.
No Write Operations SailPoint Entro never modifies or deletes AWS resources.
Data Handling No secret plaintext leaves your AWS environment.
Encryption All requests use HTTPS/TLS and signed AWS API calls.
Logging All AWS actions are logged in CloudTrail.

Validation Checklist

Validation Item Description
IAM Role Exists EntroAWSIntegrationRole visible under IAM Roles
Policy Attached EntroReadOnlyAccess applied correctly
Trust Relationship External ID and SailPoint Entro Account ID verified
CloudTrail Access (optional) Bucket policy includes s3:GetObject & s3:ListBucket