Skip to content

IAM Policy Creation Steps

This section outlines how to create the EntroReadOnlyAccess policy required for SailPoint Entro to securely connect to your AWS environment using least-privilege permissions.

AWS Console → IAM → Policies → Create Policy → JSON Tab

Overview

The policy grants SailPoint Entro read-only access to the relevant AWS services. This ensures that SailPoint Entro can discover and monitor secrets without having permissions to modify or delete resources.

  1. Create a New Policy

    • Sign in to the AWS Management Console.

    • Navigate to IAM → Policies → Create Policy.

    • Select the JSON tab and replace any existing text with the policy below.

  2. Review and Name the Policy

    • Choose Next: Tags (optional).

    • Choose Next: Review.

    • Enter the following details:

      • Name: EntroReadOnlyAccess

      • Description: Provides read-only access for SailPoint Entro integration.

    • Click Create Policy.

  3. Verify the Policy

    After creation, confirm the policy exists in IAM:

    • Navigate to IAM → Policies.

    • Search for EntroReadOnlyAccess.

    • Confirm that the policy ARN matches the expected format: arn:aws:iam::<account-id>:policy/EntroReadOnlyAccess.

IAM Policy

EntroReadOnlyAccess policy.json

{
  "Version": "2012-10-17",
  "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "secretsmanager:ListSecrets",
                    "secretsmanager:TagResource",
                    "secretsmanager:GetResourcePolicy",
                    "secretsmanager:DescribeSecret",
                    "secretsmanager:ValidateResourcePolicy",
                    "secretsmanager:ListSecretVersionIds",
                    "kms:DescribeKey",
                    "kms:ListAliases",
                    "kms:ListKeys",
                    "EC2:Get*",
                    "EC2:Describe*",
                    "EC2:List*",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "cloudtrail:DescribeTrails",
                    "cloudtrail:GetTrailStatus",
                    "cloudtrail:GetEventSelectors",
                    "cloudtrail:LookupEvents",
                    "cloudformation:DescribeChangeSet",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStacks",
                    "lambda:ListFunctions",
                    "lambda:GetFunction",
                    "iam:Get*",
                    "iam:List*",
                    "iam:GenerateServiceLastAccessedDetails",
                    "rds:Describe*",
                    "rds:ListTagsForResource",
                    "ssm:ListCommands",
                    "ssm:ListDocumentVersions",
                    "ssm:ListDocumentMetadataHistory",
                    "ssm:DescribeMaintenanceWindowSchedule",
                    "ssm:DescribeInstancePatches",
                    "ssm:ListInstanceAssociations",
                    "ssm:GetParameter",
                    "ssm:GetMaintenanceWindowExecutionTaskInvocation",
                    "ssm:DescribeAutomationExecutions",
                    "ssm:GetMaintenanceWindowTask",
                    "ssm:DescribeMaintenanceWindowExecutionTaskInvocations",
                    "ssm:DescribeAutomationStepExecutions",
                    "ssm:ListOpsMetadata",
                    "ssm:DescribeParameters",
                    "ssm:ListResourceDataSync",
                    "ssm:ListDocuments",
                    "ssm:DescribeMaintenanceWindowsForTarget",
                    "ssm:ListComplianceItems",
                    "ssm:GetConnectionStatus",
                    "ssm:GetMaintenanceWindowExecutionTask",
                    "ssm:GetOpsItem",
                    "ssm:GetMaintenanceWindowExecution",
                    "ssm:ListResourceComplianceSummaries",
                    "ssm:GetParameters",
                    "ssm:GetOpsMetadata",
                    "ssm:ListOpsItemRelatedItems",
                    "ssm:DescribeOpsItems",
                    "ssm:DescribeMaintenanceWindows",
                    "ssm:DescribeEffectivePatchesForPatchBaseline",
                    "ssm:GetServiceSetting",
                    "ssm:DescribeAssociationExecutions",
                    "ssm:DescribeDocumentPermission",
                    "ssm:ListCommandInvocations",
                    "ssm:GetAutomationExecution",
                    "ssm:DescribePatchGroups",
                    "ssm:GetDefaultPatchBaseline",
                    "ssm:DescribeDocument",
                    "ssm:DescribeMaintenanceWindowTasks",
                    "ssm:ListAssociationVersions",
                    "ssm:GetPatchBaselineForPatchGroup",
                    "ssm:PutConfigurePackageResult",
                    "ssm:DescribePatchGroupState",
                    "ssm:DescribeMaintenanceWindowExecutions",
                    "ssm:GetManifest",
                    "ssm:DescribeMaintenanceWindowExecutionTasks",
                    "ssm:DescribeInstancePatchStates",
                    "ssm:DescribeInstancePatchStatesForPatchGroup",
                    "ssm:GetDocument",
                    "ssm:GetInventorySchema",
                    "ssm:GetParametersByPath",
                    "ssm:GetMaintenanceWindow",
                    "ssm:DescribeInstanceAssociationsStatus",
                    "ssm:DescribeAssociationExecutionTargets",
                    "ssm:GetPatchBaseline",
                    "ssm:DescribeInstanceProperties",
                    "ssm:ListInventoryEntries",
                    "ssm:DescribeAssociation",
                    "ssm:ListOpsItemEvents",
                    "ssm:GetDeployablePatchSnapshotForInstance",
                    "ssm:DescribeSessions",
                    "ssm:GetParameterHistory",
                    "ssm:DescribeMaintenanceWindowTargets",
                    "ssm:DescribePatchBaselines",
                    "ssm:DescribeEffectiveInstanceAssociations",
                    "ssm:DescribeInventoryDeletions",
                    "ssm:DescribePatchProperties",
                    "ssm:GetInventory",
                    "ssm:GetOpsSummary",
                    "ssm:DescribeActivations",
                    "ssm:GetCommandInvocation",
                    "ssm:ListComplianceSummaries",
                    "ssm:DescribeInstanceInformation",
                    "ssm:ListTagsForResource",
                    "ssm:DescribeDocumentParameters",
                    "ssm:GetCalendar",
                    "ssm:ListAssociations",
                    "ssm:GetCalendarState",
                    "ssm:DescribeAvailablePatches",
                    "lambda:ListVersionsByFunction",
                    "lambda:GetLayerVersion",
                    "lambda:GetAccountSettings",
                    "lambda:GetFunctionConfiguration",
                    "lambda:GetLayerVersionPolicy",
                    "lambda:ListProvisionedConcurrencyConfigs",
                    "lambda:GetProvisionedConcurrencyConfig",
                    "lambda:ListTags",
                    "lambda:ListLayerVersions",
                    "lambda:ListLayers",
                    "lambda:ListCodeSigningConfigs",
                    "lambda:GetAlias",
                    "lambda:ListFunctions",
                    "lambda:GetEventSourceMapping",
                    "lambda:GetFunction",
                    "lambda:ListAliases",
                    "lambda:GetFunctionUrlConfig",
                    "lambda:ListFunctionUrlConfigs",
                    "lambda:GetFunctionCodeSigningConfig",
                    "lambda:ListFunctionEventInvokeConfigs",
                    "lambda:ListFunctionsByCodeSigningConfig",
                    "lambda:GetFunctionConcurrency",
                    "lambda:GetFunctionEventInvokeConfig",
                    "lambda:ListEventSourceMappings",
                    "lambda:GetCodeSigningConfig",
                    "lambda:GetPolicy",
                    "eks:ListNodegroups",
                    "eks:DescribeFargateProfile",
                    "eks:ListTagsForResource",
                    "eks:ListAddons",
                    "eks:DescribeAddon",
                    "eks:ListFargateProfiles",
                    "eks:DescribeNodegroup",
                    "eks:DescribeIdentityProviderConfig",
                    "eks:ListUpdates",
                    "eks:DescribeUpdate",
                    "eks:AccessKubernetesApi",
                    "eks:DescribeCluster",
                    "eks:ListClusters",
                    "eks:DescribeAddonVersions",
                    "eks:ListIdentityProviderConfigs",
                    // Optional permissions to support future feature
                    // This will allow gathering better context about accounts and NHIs
                    "organizations:ListAccounts",
                    "sso:ListInstances",
                    "identitystore:ListUsers",
                    "identitystore:ListGroupMembershipsForMember","sso:ListPermissionSets",
                    "sso:GetInlinePolicyForPermissionSet",
                    "sso:ListManagedPoliciesInPermissionSet",
                    "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
                    "sso:DescribePermissionSet",
                    "sso:DescribePermissionSet",
                    "sso:ListAccountsForProvisionedPermissionSet",
                    "sso:ListAccountAssignments",
                    "sso:ListManagedPoliciesInPermissionSet",
                    "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
                    "sso:ListInstances",
                    "sso:ListPermissionSets",
                    "identitystore:DescribeUser",
                    // Bedrock AI
                    "bedrock-agentcore:List*",
                    "bedrock-agentcore:Get*",
                    "bedrock:List*",
                    "bedrock:Get*"
                    // Zero Trust Prevention
                    "iam:GetUserPolicy",
                    "iam:PutUserPolicy",
                    "iam:DeleteUserPolicy",
                    "iam:GetLoginProfile"
                  ],
      "Resource": "*"
    }
  ]
}

Security Principle

The EntroReadOnlyAccess policy adheres to the least privilege model:

  • No write or delete actions permitted.
  • No access to resource content beyond metadata and secret identifiers.
  • Only discovery-level visibility for inventory synchronization.