Configuring Amazon Web Services

SailPoint CIEM collects data on access paths and how networks, objects, and identities could gain access to your organization's Amazon Web Services (AWS) cloud resources. You'll need to give SailPoint CIEM read-only access to your AWS infrastructure to create an inventory and optionally read activity data in your CloudTrail bucket.

SailPoint provides CloudFormation templates to automate the role and policy creation for AWS Organizations and single AWS source accounts.

Choose your next step based on your configuration

• Collect Data from All AWS Accounts (recommended)
• Collect Data from Single AWS Accounts

Alternatively, you can configure AWS manually, but it is discouraged due to the risks of gaps in your data.

When you have completed and verified your configuration, you can connect your AWS account with SailPoint CIEM.

Collected AWS Resources and Activity

SailPoint's AWS account assumes an AWS role with the sufficient permissions to read and list resource metadata and collect activity data.

AWS Resource CollectionAWS Activity Collection

• IAM users, groups, and policies
• Identity Center users, groups, and permission sets
• Cloud resources like EC2, S3, and Functions

• CloudTrail logs of all activity in AWS
• SNS
• S3

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.