Skip to content

Connecting AWS Automatically

SailPoint provides CloudFormation templates to automate the creation of IAM roles and policies, a CloudTrail trail, and an S3 Bucket. Different templates versions are available depending on your configuration preference and existing infrastructure.

Choose your next step based on your configuration

Collecting Data from All AWS Accounts

SailPoint CIEM collects resources across all AWS Accounts in an Organization in two steps: it first lists all AWS Accounts using the management account role with organization permissions, then assumes a role in each member account with the same role name and external ID.

SailPoint offers CloudFormation templates to create identical roles with minimum permissions in each member account and create the primary role in the management account with the minimum organization permissions for listing AWS accounts, as well as Identity Center aggregation permissions.

You will first enable inventory collection in all accounts. You can then choose to include activity data in your SailPoint CIEM tenant.

Collecting Resources from All AWS Accounts

To enable inventory collection in all accounts:

  1. Follow the AWS directions to create a stack set with service-managed permissions.

  2. Upload the appropriate template:

    commercial-inventory-collection.json

    gov-inventory-collection.json

  3. Under Deployment regions select a single region. Because IAM resources are account-level objects, they should not be created per region.

This creates a role and policy with sufficient privileges in all member accounts to read data from your AWS cloud. You can then collect activity data from all AWS accounts.

Collecting Activity Data from All AWS Accounts

SailPoint CIEM collects the activity of AWS users by reading CloudTrail logs. Enabling activity collection is optional.

  1. Follow the AWS directions to create a stack in the root management account where logs are captured.

  2. Upload the appropriate template:

    commercial-activity-collection.json

    gov-activity-collection.json

This process creates a role and policies with minimum privileges in the management account to:

  • Read activity data from the bucket
  • Read Identity Center data
  • Provision Identity Center Data (not read-only)
  • Create an in-line policy on the role for reading resource data from your AWS cloud

Important

Some AWS activity cannot be collected by SailPoint CIEM due to CloudTrail logs missing the Resource attribute necessary to associate a user's actions to a resource. Certifiers reviewing the last activity on an AWS resource in a Certification Campaign will still see how the resource was accessed, but might not have full activity data details.

You should verify your configuration before connecting your source.

Collecting Data from Single AWS Accounts

If you prefer to connect CIEM to a single AWS account, SailPoint provides CloudFormation templates to create the role, and optionally create a CloudTrail and bucket depending on existing activity collection infrastructure. The role, cloudtrail, and bucket must all exist in the configured account.

Important

Some AWS activity cannot be collected by SailPoint CIEM due to CloudTrail logs missing the Resource attribute necessary to associate a user's actions to a resource. Certifiers reviewing the last activity on an AWS resource in a Certification Campaign will still see how the resource was accessed, but might not have full activity data details.

Collecting Resources from Single AWS Accounts

To enable inventory collection in single accounts:

  1. Follow the AWS directions to create a stack, choosing With new resources (standard).

  2. Upload the appropriate template:

    commercial-inventory-collection.json

    gov-inventory-collection.json

  3. Under Deployment regions select a single region. Because IAM resources are account-level objects, they should not be created per region.

This creates a role and policy with sufficient privileges in this account to read data from your AWS cloud. You can then choose to collect activity data from the AWS account.

Collecting Activity Data from Single AWS Accounts

  1. Follow the AWS directions to create a stack, choosing With new resources (standard).

  2. Upload the appropriate template:

    Use Case Template
    Create a role to use with an existing CloudTrail and S3 bucket commercial-activity-collection-existing-cloudtrail.json
    Create a role and CloudTrail to use with an existing S3 Bucket commercial-activity-collection-new-cloudtrail-and-existing-bucket.json
    Create a role, CloudTrail, and S3 bucket commercial-activity-collection-new-cloudtrail-and-bucket.json
    Use Case Template
    Create a role to use with an existing CloudTrail and S3 bucket gov-activity-collection-existing-cloudtrail.json
    Create a role and CloudTrail to use with an existing S3 Bucket gov-activity-collection-new-cloudtrail-and-existing-bucket.json
    Create a role, CloudTrail, and S3 bucket gov-activity-collection-new-cloudtrail-and-bucket.json

  3. Name your bucket.

    • If you are using an existing S3 bucket, enter the name in the BucketName field. This can be found in the S3 bucket column of your Trails.
    • If you are creating an S3 bucket, name the bucket for collecting CloudTrail logs.

  4. In the external ID field, paste the external ID provided by SailPoint. This can be found in the Connection Settings section of the CIEM AWS source.

  5. The template populates the other fields. Continue using the stack wizard, setting the Stack failure option to Roll back all stack resources.

  6. Complete the setup and select Create stack.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.