Skip to content

Configuring AWS Manually

If you do not have access to CloudFormation, you can manually add AWS accounts within your organization.

Warning

SailPoint strongly recommends using CloudFormation templates to collect resources from all AWS accounts with AWS Organizations or collect resource and activity data for a single AWS account. Connecting AWS manually can leave gaps in your data by potentially missing AWS accounts in your cloud infrastructure.

Collecting AWS Resources Manually

You must create an identity and access management role on your Amazon Web Services source account where you will attach the policy defining what data SailPoint CIEM can read. If you are using manual IAM roles with an AWS organization, you must repeat this process to create a role in each subaccount.

  1. Sign in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create role.

  4. Select AWS account and choose the Custom trust policy option.

    AWS selected trust policy tab with Custom trust policy selected

  5. Paste the following code in the Custom trust policy window, replacing <externalId> with the external ID provided by SailPoint in the Connection Settings section of the CIEM AWS source:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    {
   "Version": "2012-10-17",
   "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
               "AWS": [
                  "arn:aws:iam::874540850173:role/ciem_universal"
               ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
               "StringEquals": {
                  "sts:ExternalId": "<externalId>(1)"
            }
         }
      }
   ]
}
    1. Replace with your external ID.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    {
   "Version": "2012-10-17",
   "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
               "AWS": [
                  "arn:aws:iam::229634586956:role/ciem_universal"
               ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
               "StringEquals": {
                  "sts:ExternalId": "<externalId>(1)"
            }
         }
      }
   ]
}
    1. Replace with your external ID.

  6. Confirm the trust policy contains the correct role ARN:

    • arn:aws:iam::874540850173:role/ciem_universal for Commercial accounts
    • arn:aws-us-gov:iam::229634586956:role/ciem_universal for GovCloud accounts

  7. Select the Require external ID option and enter the external ID provided by SailPoint. This can be found in the Connection Settings of the CIEM AWS source.

  8. Select Next. You will be taken to the Add Permissions section.

  9. Select Create policy and choose the JSON tab.

  10. Replace the JSON text with the minimum required permissions.

  11. Select Next: Tags. Tags are optional.

  12. Select Next: Review. Enter an appropriate name and description for the role.

  13. Select Create policy. The new policy will be displayed in the list of IAM policies.

  14. Select the checkbox next to the new policy and select Next.

  15. Enter a role name and details. Review the information and select Create Role. You will be redirected to the Roles page.

  16. Search for and select the new role to find its Role ARN. You will need this ARN to connect your AWS source accounts with SailPoint CIEM.

  17. If you are creating manual IAM roles to work in an AWS organization, repeat the IAM role creation process for each subaccount.

    Caution

    • If you do not include a new role in every subaccount, you may have gaps in your data.
    • All roles must use the same external ID provided by SailPoint in the Connection Settings of the CIEM AWS source.

Note

To confirm the role is effective, you can test the connection. Follow the directions to connect AWS and SailPoint CIEM, entering the Role ARN, saving, selecting Review and Test, and then testing the connection.

You should verify your configuration before connecting your source.

Collecting AWS Activity Data Manually

SailPoint CIEM uses CloudTrail logs to track the actions taken by a user, role, or AWS service in your AWS account. If you want to enable AWS activity collection, you must create or use a bucket owned by a central management account to send CloudTrail logs to SailPoint CIEM.

Important

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource in a Certification Campaign. Your certifiers will still see how the resource was accessed, but may not have full activity data details.

To get started, create a managed IAM policy.

Creating a Managed IAM Policy

In order to grant SailPoint CIEM access to your CloudTrail events, you must create a managed IAM policy.

Note

If you do not already have a CloudTrail bucket, refer to Configuring a CloudTrail Bucket.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy.

  3. Add the following permissions to the JSON file, editing the name of the CloudTrail bucket:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*(1)" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName(2)" 
        } 
    ] 
}
    1. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
    2. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws-us-gov:s3:::YourCloudtrailBucketName/*(1)" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws-us-gov:s3:::YourCloudtrailBucketName(2)" 
        } 
    ] 
}
    1. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
    2. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy. Enter a name and optional description.

  5. Select Create policy. This directs you to the policy overview page.
  6. Select the radio button next to the policy name.
  7. Select the Policy actions dropdown menu and choose Attach to attach the policy to users, groups, or roles in your accounts. IAM Policy Actions menu expanded with Attach and Delete options available.
  8. Select Attach policy to assign the new managed policy to the role you created previously.

After you've created a role with sufficient permissions, you will enable CloudTrail event processing and log delivery.

Enabling CloudTrail Logging

SailPoint CIEM reads AWS account activity data through a CloudTrail trail. You can use an existing CloudTrail Amazon Resource Name (ARN) or create one at the organization or account level. Up to 150 CloudTrails can be used with Identity Security Cloud.

Ensure you've met the following requirements:

Warning

To avoid Amazon Web Services costs, enable only management events in your organization's CloudTrail. If you enable all events or create a new organization trail, you will incur costs. Refer to the CloudTrail pricing for more details.

To enable CloudTrail logging:

  1. In the AWS Management console, select Services and search for "CloudTrail".
  2. Select Trails.

  3. Select the trail name you want to use or select Create trail to create an S3 bucket for your CloudTrail logs.

    Cloud trails screen with list of trails and option to create a trail.

  4. Under Storage location, you can select Create new S3 bucket or select an existing S3 bucket.

    Note

    Save your CloudTrail name as you'll need it to register your AWS source cloud accounts.

  5. Expand Additional settings.

  6. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket.
  7. Complete your trail configuration and select Create trail.

  8. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

    Table of 3 trails. The status column contains green check marks for 2 trails and Off for the third.

  9. Select Save changes.

Configuring a CloudTrail Bucket

You will set up CloudFormation in the accounts falling under the Management Logging Account and add the following policy to the bucket owned by that account.

  1. In the AWS Console, search for or select S3.
  2. Search for and select the Management Logging Account bucket you want the CloudTrail logs to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

    Bucket policy editor for a trail containing JSON text.

  4. In the policy editor, append the following JSON text to the policy: 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",

            "Principal": {
                "AWS": "arn:aws:iam::874540850173:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>/*(1)"
    },
    {
        "Sid": "Stmt2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::874540850173:root"
        },
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>(2)"
    }
    ]            
}
    1. Replace <central-cloud-trail-bucket> with your bucket name.
    2. Replace <central-cloud-trail-bucket> with your bucket name.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",

            "Principal": {
                "AWS": "arn:aws-us-gov:iam::229634586956:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws-us-gov:s3:::<central-cloud-trail-bucket>/*(1)"
    },
    {
        "Sid": "Stmt2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws-us-gov:iam::229634586956:root"
        },
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws-us-gov:s3:::<central-cloud-trail-bucket>(2)"
    }
    ]            
}
    1. Replace <central-cloud-trail-bucket> with your bucket name.
    2. Replace <central-cloud-trail-bucket> with your bucket name.

  5. Replace the 2 instances of <central-cloud-trail-bucket> with your bucket name.

  6. Confirm you are using the correct AWS ARN for your Commercial or GovCloud account.

    • Commercial accounts: "arn:aws:iam::874540850173:root"
    • GovCloud accounts: "arn:aws-us-gov:iam::229634586956:root"

  7. Repeat this configuration for all buckets targeted by CloudTrail trails.

  8. If you are using a custom KMS key, you must add the following to the KMS key policy associated with the CloudTrail:

    1
2
3
4
5
6
7
8
9
     {
  "Sid": "Allow ciem collector decrypt",
  "Effect": "Allow",
  "Principal": {
      "AWS": "arn:aws:iam::874540850173:root"
  },
  "Action": "kms:Decrypt",
  "Resource": "*"
}

    1
2
3
4
5
6
7
8
9
     {
  "Sid": "Allow ciem collector decrypt",
  "Effect": "Allow",
  "Principal": {
      "AWS": "arn:aws:iam::229634586956:root"
  },
  "Action": "kms:Decrypt",
  "Resource": "*"
}

    Refer to the AWS Documentation on changing a key policy for more information.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.