Skip to content

Managing AWS Cloud Accounts and Entitlements

To display your AWS entitlement data, you must mark supported entitlements as cloud enabled.

Supported Entitlement Types

You can use the following AWS and AWS Identity Center entitlements:

  • Groups
  • AWSManagedPolicy
  • CustomerManagedPolicy
  • InlinePolicy
  • Groups
  • AccountPermissionSet

The CIEM AWS source aggregates AWS Identity Center accounts and entitlements.

Viewing Identity Center Accounts and Entitlements

After you've aggregated your source, you can view the collected Identity Center users on the Accounts tab of the CIEM AWS source.

SailPoint CIEM uses the AWS Identity Center Groups and AccountPermissionSet entitlements to identify cloud access. If you enabled native change detection, your AWS accounts will be scanned for changes made out-of-band.

Note

Not all fields apply to Identity Center users.

Attribute Type Description
UserName string The friendly name of the user
UserId string The unique ID of the user
Path string Path to the user
ARN string Amazon Resource Name of the user
CreatedDate string User Creation date
ConsoleAccess string Password Status
Access Keys string Access keys associated with the user
AWS CodeCommit HTTPS Credentials string AWS CodeCommit HTTPS Git credentials associated with the user
AWS CodeCommit SSH Keys string AWS CodeCommit SSH public keys associated with the user
Signing Certificates string Signing Certificates associated with the user
AccountType string Account is either Federated, Local Federated or Local
AWSAccountSet string (multi-valued) AWS Accounts this User has access to
DisplayName string User friendly display name
Email string User email

While the schemas match, the account ID displayed on the CIEM AWS source is the account ID associated with a user's AWS Identity Center access, not their AWS IAM ARN.

Identity Store APIs

SailPoint CIEM calls the following Identity Store and Identity Store SSO APIs:

  • ListUsers
  • ListGroups
  • ListGroupMemberships
  • ListInstances
  • ListPermissionSets
  • DescribePermissionSet
  • ListAccountsForProvisionedPermissionSet
  • ListAccountAssignments
  • GetInlinePolicyForPermissionSet
  • GetPermissionsBoundaryForPermissionSet
  • ListManagedPoliciesInPermissionSet
  • ListCustomerManagedPolicyReferencesInPermissionSet

Viewing Identity Center Entitlements

After you've aggregated your source, you can view the collected Identity Center entitlements on the Entitlements tab of the CIEM AWS source.

SailPoint CIEM uses the AWS Identity Center Groups and AccountPermissionSet entitlements to identify cloud access. They are comprised of the following schemas:

Identity Center Group Schema

Attribute Type Description
GroupId string The Unique Identifier for the group
GroupName string The display name of the group
GroupType string Group is either Federated, Local Federated, or Local

AccountPermissionSet Schema

Attribute Type Description
AWSAccountName string The Account Name of associated AWS account
AWSAccountId string The Account Id of the associated AWS account
AccountPermissionSetId string Unique Id for the entitlement
PermissionSetName string The Name of the Permission Set associated with this assignment
DisplayName string The Display name for the AccountPermissionSet
Permission Set ARN string The ARN of the Permission Set

Marking AWS Cloud-Enabled Entitlement Types

When your entitlements are pulled from your AWS cloud environment, you must mark the AWS IAM entitlement types that relate to cloud access. If you use AWS Identity Center, you must also mark those entitlements as cloud enabled on the CIEM AWS source.

Identifying these entitlements as cloud enabled will display cloud access details for identities with those entitlements. It will also allow certification campaign reviewers to view the cloud access details on cloud entitlements included in certification campaigns for AWS cloud infrastructure users.

Marking AWS IAM Entitlements

On the AWS IAM source, you must mark the supported entitlements as cloud enabled to allow SailPoint CIEM to display the cloud access granted by AWS entitlements.

To mark entitlements as cloud enabled on the AWS IAM source:

  1. Go to Admin > Connections > Sources.
  2. Select or edit the AWS source.
  3. In the Entitlement Management section, select Entitlement Types.
  4. Edit and select the Cloud Enabled checkbox for the following entitlements:

    • Groups
    • AWSManagedPolicy
    • CustomerManagedPolicy
    • InlinePolicy
  5. Select Update.

You can now view an identity's cloud access granted through entitlements and add cloud-based entitlement types to certification campaigns to allow certifiers to view the effective access your AWS IAM users have to your AWS resources.

Important

If you are using AWS Identity Center, you must also mark your AWS Identity Center entitlements as cloud enabled.

Marking AWS Identity Center Entitlements

If you use AWS Identity Center, you must mark the supported Identity Center entitlements as cloud enabled to allow SailPoint CIEM to display the cloud access granted by Identity Center entitlements.

To mark entitlements as cloud enabled on the CIEM AWS source:

  1. Go to Admin > Connections > Sources.
  2. Select or edit the CIEM AWS source.
  3. In the Entitlement Management section, select Entitlement Types.
  4. Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:

    • Groups
    • AccountPermissionSet
  5. Select Update.

ICAccountAssignment Entitlement

SailPoint CIEM previously used the ICAccountAssignment Identity Center entitlement. That has been changed to AccountPermissionSet. You must mark AccountPermissionSet as cloud enabled to continue receiving your Identity Center cloud data.

SailPoint CIEM can now display the effective access users have to your AWS cloud resources.

Provisioning Identity Center Directory Accounts

If you are using the Identity Center directory as your identity source, as opposed to Active Directory or another external IdP, you can provision Identity Center accounts in Identity Security Cloud.

Password provisioning is not supported as the IdentityStore API does not support updating a user’s password. Enabling and disabling accounts is not supported as the IdentityStore API does not support enabling or disabling users.

You can enable Identity Center directory account provisioning in your CIEM AWS source.

Viewing Effective Access to AWS Resources

After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.

Notes

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource. Your certifiers will still see how the resource was accessed, but may not have full activity data details.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.