AWS Troubleshooting and Validation
This section outlines verification procedures and troubleshooting steps for AWS integrations in SailPoint Entro. Use it to confirm successful setup or to resolve common onboarding and synchronization issues.
Overview
After integrating AWS, SailPoint Entro performs continuous sync and health validation. The following checks and commands help you verify the connection and fix configuration issues.
Validation Checklist
| Validation Item | Expected Result | Verification Location |
|---|---|---|
| AWS Account shows as Active | Integration status = “Active” | SailPoint Entro Dashboard → Integrations → AWS |
| Secrets discovered | Secrets appear under Inventory → Secrets | SailPoint Entro Dashboard |
| NHIs discovered | NHIs appear under Inventory → NHIs | SailPoint Entro Dashboard |
| IAM Policy attached | EntroReadOnlyAccess attached to EntroRoleAWS role |
AWS Console → IAM → Roles |
| Trust relationship valid | SailPoint Entro AWS Account ID + External ID configured | AWS Console → IAM → Role → Trust Relationships |
| CloudTrail connected (optional) | CloudTrail status = “Connected” | SailPoint Entro Dashboard → Integrations → AWS → CloudTrail |
| Logs visible in S3 | AWSLogs folder populated | AWS Console → S3 |
-
Verify Role Assumption
Use the AWS CLI to confirm that SailPoint Entro can assume the integration role.
aws sts assume-role --role-arn arn:aws:iam::<account-id>:role/EntroAWSIntegrationRole --role-session-name EntroValidationTestIf successful, you’ll receive a temporary security token. If not, review the trust relationship JSON and ensure the external ID matches.
-
Confirm IAM Permissions
Simulate permissions for SailPoint Entro’s role:
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::<account-id>:role/EntroAWSIntegrationRole --action-names secretsmanager:ListSecrets ssm:GetParameter kms:DescribeKeyAll actions should return
"allowed": true. -
Check CloudFormation Stack (Automatic Setup)
For CloudFormation-based integrations:
-
Go to AWS Console → CloudFormation → Stacks.
-
Locate the stack name (e.g.,
Entro-AWS-Integration). -
Confirm stack status =
CREATE_COMPLETE. -
Review the Resources tab to verify IAM Role and Policy creation.
Common Issues and Fixes
Symptom Likely Cause Resolution Integration not appearing in SailPoint Entro Role ARN incorrect Copy correct ARN from AWS IAM console STS AssumeRole failed Missing trust relationship or wrong external ID Update trust JSON in IAM Role No secrets detected Policy missing required actions Ensure secretsmanager:ListSecretsandssm:GetParameterare presentCloudTrail access denied Missing S3 read permissions Add s3:GetObjectands3:ListBucketto the policySync incomplete Network timeout or blocked endpoint Allow outbound HTTPS to api.entro.securityDuplicate AWS accounts Integration added multiple times Remove redundant integration in SailPoint Entro -
-
Review Logs and API Responses
SailPoint Entro logs each synchronization attempt. Review these locations:
-
SailPoint Entro Dashboard → Integrations → AWS → Logs
-
Activity → System Logs (for detailed sync attempts)
-
-
AWS CloudTrail Verification
To confirm that SailPoint Entro has read access to your CloudTrail S3 bucket:
-
Navigate to CloudTrail → Event History.
-
Search for
EventName = AssumeRole. -
Confirm that the Principal corresponds to SailPoint Entro’s AWS Account ID.
-
Verify log delivery frequency matches expected cadence.
-
Advanced Validation (Optional)
AWS CLI Secret Listing Test
Run the following command under your SailPoint Entro-assumed role:
Expected result: a JSON list of secret metadata (not secret values).
AWS CloudTrail Log Check
Expected result: timestamped log folders for recent events.
Network Requirements
| Component | Endpoint | Port | Protocol |
|---|---|---|---|
| SailPoint Entro API | api.entro.security |
443 | HTTPS |
| AWS API (STS, IAM, SSM, Secrets Manager) | *.amazonaws.com |
443 | HTTPS |
Security Reminder
SailPoint Entro performs all actions using temporary STS credentials. No long-term keys are stored, and all requests are encrypted over HTTPS/TLS.