AWS Permissions Reference
This page outlines all AWS IAM permissions, roles, and policy structures that SailPoint Entro uses across its AWS integrations. It ensures transparency around access scopes, least-privilege compliance, and audit readiness for connected AWS environments.
Overview
Note
SailPoint Entro integrates with AWS through read-only IAM Roles. All actions are restricted to discovery and metadata access. No modification, deletion, or secret extraction occurs.
SailPoint Entro supports the following integration types:
-
CloudFormation - automatic setup for single accounts
-
Terraform - Infrastructure-as-Code deployment (alternative to CloudFormation)
-
StackSets (AWS Organizations) - multi-account automation from the management account
IAM Roles Used
| Role Name | Purpose | Created By |
|---|---|---|
EntroRoleAWS |
Primary role SailPoint Entro assumes to discover secrets and NHIs. | CloudFormation or Manual setup |
EntroReadOnlyAccess |
Attached policy providing minimal read permissions. | Manual or automated setup |
EntroMultiAccountRole |
Used during multi-account StackSets deployment. | AWS Organizations automation |
Base Read‑Only Policy (EntroReadOnlyAccess)
This is the core IAM policy used in both single-account and multi-account setups.
EntroReadOnlyAccess.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret",
"kms:DescribeKey",
"kms:ListAliases",
"ec2:Describe*",
"cloudtrail:LookupEvents",
"lambda:GetFunction",
"iam:List*",
"rds:Describe*",
"ssm:GetParameter",
"ssm:DescribeParameters",
"eks:ListClusters",
"s3:GetObject",
"s3:ListBucket"
"bedrock-agentcore:List*",
"bedrock-agentcore:Get*",
"bedrock:List*",
"bedrock:Get*",
],
"Resource": "*"
}
]
}
Optional Logging Permissions
These permissions are automatically included when SailPoint Entro detects CloudTrail or S3 log integrations. They enable secure, read-only access for audit correlation.
CloudTrailBucketPermissions.json
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cloudtrail-logs-bucket>",
"arn:aws:s3:::<cloudtrail-logs-bucket>/*"
]
}
Zero Trust Permissions
ZeroTrust.json
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy",
"iam:GetLoginProfile"
],
"Resource": "*"
}
Optional - Model Invocation Logging
In case you use Amazon Bedrock, it's recommended to enable the Model Invocation logs. This allows SailPoint Entro to identify and display the identity of each model invoker.
To set it up, follow the instructions in AWS docs to enable invocation logging and configure log delivery to Amazon S3.
Trust Relationship Template
SailPoint Entro assumes the AWS role using AWS STS and an external ID to prevent unauthorized access.
TrustRelationship.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ENTRO_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<ENTRO_EXTERNAL_ID>"
}
}
}
]
}
CloudFormation Automation Permissions (StackSets)
When using AWS Organizations for automation, StackSets require additional permissions for delegated deployment.
StackSetsDelegationPermissions.json
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStackInstances",
"cloudformation:UpdateStackInstances",
"cloudformation:DeleteStackInstances",
"organizations:ListAccounts",
"organizations:DescribeOrganization"
],
"Resource": "*"
}
Terraform Automation Permissions (Optional)
When using Terraform for organization-wide deployment instead of CloudFormation, ensure the execution identity (user or CI/CD role) has the following permissions:
TerraformDelegationPermissions.json
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"sns:Publish",
"cloudformation:DescribeStacks"
],
"Resource": "*"
}
Security and Compliance Summary
| Category | Description |
|---|---|
| Principle of Least Privilege | SailPoint Entro’s AWS integrations only include discovery-level permissions. |
| No Write Operations | SailPoint Entro never modifies or deletes AWS resources. |
| Data Handling | No secret plaintext leaves your AWS environment. |
| Encryption | All requests use HTTPS/TLS and signed AWS API calls. |
| Logging | All AWS actions are logged in CloudTrail. |
Validation Checklist
| Validation Item | Description |
|---|---|
| IAM Role Exists | EntroAWSIntegrationRole visible under IAM Roles |
| Policy Attached | EntroReadOnlyAccess applied correctly |
| Trust Relationship | External ID and SailPoint Entro Account ID verified |
| CloudTrail Access (optional) | Bucket policy includes s3:GetObject & s3:ListBucket |