Skip to content

AWS Troubleshooting and Validation

This section outlines verification procedures and troubleshooting steps for AWS integrations in SailPoint Entro. Use it to confirm successful setup or to resolve common onboarding and synchronization issues.


Overview

After integrating AWS, SailPoint Entro performs continuous sync and health validation. The following checks and commands help you verify the connection and fix configuration issues.


Validation Checklist

Validation Item Expected Result Verification Location
AWS Account shows as Active Integration status = “Active” SailPoint Entro Dashboard → Integrations → AWS
Secrets discovered Secrets appear under Inventory → Secrets SailPoint Entro Dashboard
NHIs discovered NHIs appear under Inventory → NHIs SailPoint Entro Dashboard
IAM Policy attached EntroReadOnlyAccess attached to EntroRoleAWS role AWS Console → IAM → Roles
Trust relationship valid SailPoint Entro AWS Account ID + External ID configured AWS Console → IAM → Role → Trust Relationships
CloudTrail connected (optional) CloudTrail status = “Connected” SailPoint Entro Dashboard → Integrations → AWS → CloudTrail
Logs visible in S3 AWSLogs folder populated AWS Console → S3

  1. Verify Role Assumption

    Use the AWS CLI to confirm that SailPoint Entro can assume the integration role.

    aws sts assume-role   --role-arn arn:aws:iam::<account-id>:role/EntroAWSIntegrationRole   --role-session-name EntroValidationTest
    

    If successful, you’ll receive a temporary security token. If not, review the trust relationship JSON and ensure the external ID matches.

  2. Confirm IAM Permissions

    Simulate permissions for SailPoint Entro’s role:

    aws iam simulate-principal-policy   --policy-source-arn arn:aws:iam::<account-id>:role/EntroAWSIntegrationRole   --action-names secretsmanager:ListSecrets ssm:GetParameter kms:DescribeKey
    

    All actions should return "allowed": true.

  3. Check CloudFormation Stack (Automatic Setup)

    For CloudFormation-based integrations:

    • Go to AWS Console → CloudFormation → Stacks.

    • Locate the stack name (e.g., Entro-AWS-Integration).

    • Confirm stack status = CREATE_COMPLETE.

    • Review the Resources tab to verify IAM Role and Policy creation.

    Common Issues and Fixes

    Symptom Likely Cause Resolution
    Integration not appearing in SailPoint Entro Role ARN incorrect Copy correct ARN from AWS IAM console
    STS AssumeRole failed Missing trust relationship or wrong external ID Update trust JSON in IAM Role
    No secrets detected Policy missing required actions Ensure secretsmanager:ListSecrets and ssm:GetParameter are present
    CloudTrail access denied Missing S3 read permissions Add s3:GetObject and s3:ListBucket to the policy
    Sync incomplete Network timeout or blocked endpoint Allow outbound HTTPS to api.entro.security
    Duplicate AWS accounts Integration added multiple times Remove redundant integration in SailPoint Entro
  4. Review Logs and API Responses

    SailPoint Entro logs each synchronization attempt. Review these locations:

    • SailPoint Entro Dashboard → Integrations → AWS → Logs

    • Activity → System Logs (for detailed sync attempts)

  5. AWS CloudTrail Verification

    To confirm that SailPoint Entro has read access to your CloudTrail S3 bucket:

    • Navigate to CloudTrail → Event History.

    • Search for EventName = AssumeRole.

    • Confirm that the Principal corresponds to SailPoint Entro’s AWS Account ID.

    • Verify log delivery frequency matches expected cadence.


Advanced Validation (Optional)

AWS CLI Secret Listing Test

Run the following command under your SailPoint Entro-assumed role:

aws secretsmanager list-secrets --max-items 5

Expected result: a JSON list of secret metadata (not secret values).

AWS CloudTrail Log Check

aws s3 ls s3://<cloudtrail-logs-bucket>/AWSLogs/<account-id>/CloudTrail/

Expected result: timestamped log folders for recent events.


Network Requirements

Component Endpoint Port Protocol
SailPoint Entro API api.entro.security 443 HTTPS
AWS API (STS, IAM, SSM, Secrets Manager) *.amazonaws.com 443 HTTPS

Security Reminder

SailPoint Entro performs all actions using temporary STS credentials. No long-term keys are stored, and all requests are encrypted over HTTPS/TLS.