Skip to content

Configuring Amazon Web Services Cloud

SailPoint CIEM collects data on access paths and how networks, objects, and identities could gain access to your organization's Amazon Web Services cloud resources.

To configure SailPoint CIEM with your Amazon Web Services source, you'll need to give it read-only access to your Amazon Web Services infrastructure to create an inventory and read the usage data in your CloudTrail bucket.

You can add all AWS accounts in your organization or connect a single account using the provided CloudFormation templates. You can also manually connect AWS accounts.

Important

SailPoint recommends adding all organization accounts, as opposed to single accounts, to allow SailPoint CIEM to display the hierarchy of your AWS cloud.

When you have completed your configuration, you should verify it before registering your AWS account with CIEM and IdentityNow.

Configuring a Central CloudTrail Bucket

CIEM uses CloudTrail logs to track the actions taken by a user, role, or AWS service in your AWS account. You must create or use a bucket owned by a central management account to send CloudTrail logs to CIEM.

You can have up to 150 CloudTrail ARNs with connecting with SailPoint CIEM. All buckets targeted by a cloud trail must be configured with the following bucket policy.

Important

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource in a Certification Campaign. Your certifiers will still see how the resource was accessed, but may not have full activity data details.

You will set up CloudFormation in the accounts falling under the Management Logging Account and add a policy to the bucket owned by that account:

  1. In the AWS Console, search for or select S3.

  2. Search for and select the Management Logging Account bucket you want the cloud trails to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

  4. In the bucket policy editor, copy and paste the following JSON text and append it to the existing policy: 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",

            "Principal": {
                "AWS": "arn:aws:iam::874540850173:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>/*(1)"
    },
    {
        "Sid": "Stmt2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::874540850173:root"
        },
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>(2)"
    }
    ]            
}
    1. Replace <central-cloud-trail-bucket> with your bucket name.
    2. Replace <central-cloud-trail-bucket> with your bucket name.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",

            "Principal": {
                "AWS": "arn:aws-us-gov:iam::229634586956:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws-us-gov:s3:::<central-cloud-trail-bucket>/*(1)"
    },
    {
        "Sid": "Stmt2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws-us-gov:iam::229634586956:root"
        },
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws-us-gov:s3:::<central-cloud-trail-bucket>(2)"
    }
    ]            
}
    1. Replace <central-cloud-trail-bucket> with your bucket name.
    2. Replace <central-cloud-trail-bucket> with your bucket name.

  5. Replace the 2 instances of <central-cloud-trail-bucket> with your bucket name. In this example that would be travis-cloud-trail.

  6. Confirm you are using the correct AWS ARN for your Commercial or GovCloud account.

    • Commercial accounts: "arn:aws:iam::874540850173:root"
    • GovCloud accounts: "arn:aws-us-gov:iam::229634586956:root"

  7. Repeat this configuration for all buckets targeted by cloud trails.

Once you have configured your CloudTrail policy bucket, SailPoint recommends connecting all accounts simultaneously using AWS Organizations.

Connecting AWS Organizations

SailPoint provides CloudFormation templates to grant the permissions required to onboard all accounts using AWS Organizations.

  1. Follow the AWS directions to create a stack set with service-managed permissions.

    This creates a role and policy with sufficient privileges to read data from your AWS cloud.

  2. Follow the AWS directions to create a stack on the root management account.

    • Select Template is ready.

    This describes the resources AWS CloudFormation will include in your stack.

  3. Follow the AWS directions to create a cloud trail at the organizational or account level. You can also use an existing CloudTrail Amazon Resource Name (ARN). You can use up to 150 cloud trails to connect with CIEM.

    Warning

    To avoid Amazon Web Services costs, ensure that you enable only management events in your organization's CloudTrail. If you enable all events or create a new organization CloudTrail, you will incur costs. Refer to the CloudTrail pricing for more details.

You should verify your configuration before connecting your source.

Policy Requirements

If you want to use a custom IAM policy, it must contain the minimum permissions CIEM needs to read your AWS accounts.

To view the minimum permissions for your type of account, select Display required permissions and choose the Commercial or GovCloud tab.

Display required permissions 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Resource":"*",
        "Action":[
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetEventSelectors",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:ListTags",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:ListTagsForResource",
            "config:BatchGetAggregateResourceConfig",
            "config:BatchGetResourceConfig",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeGlobalTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListBackups",
            "dynamodb:ListGlobalTables",
            "dynamodb:ListStreams",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:Describe*",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayMulticastDomains",
            "ec2:DescribeTransitGatewayPeeringAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:GetManagedPrefixListAssociations",
            "ec2:GetManagedPrefixListEntries",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayMulticastDomainAssociations",
            "ec2:GetTransitGatewayPrefixListReferences",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "elasticloadbalancing:Describe*",
            "es:Describe*",
            "es:ListDomainNames",
            "es:ListElasticsearchInstanceTypeDetails",
            "es:ListElasticsearchVersions",
            "es:ListTags",
            "events:Describe*",
            "events:List*",
            "events:TestEventPattern",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:Get*",
            "iam:List*",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "identitystore:ListUsers(1)",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:GetAccountSettings",
            "lambda:GetFunctionConfiguration",
            "lambda:GetFunctionEventInvokeConfig",
            "lambda:GetLayerVersionPolicy",
            "lambda:GetPolicy",
            "lambda:List*",
            "logs:Describe*",
            "logs:ListTagsLogGroup",
            "organizations:Describe*",
            "organizations:List*",
            "rds:Describe*",
            "rds:DownloadDBLogFilePortion",
            "rds:ListTagsForResource",
            "s3:GetAccelerateConfiguration",
            "s3:GetAccessPoint",
            "s3:GetAccessPointPolicy",
            "s3:GetAccessPointPolicyStatus",
            "s3:GetAccountPublicAccessBlock",
            "s3:GetAnalyticsConfiguration",
            "s3:GetBucket*",
            "s3:GetEncryptionConfiguration",
            "s3:GetInventoryConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetMetricsConfiguration",
            "s3:GetObjectAcl",
            "s3:GetObjectVersionAcl",
            "s3:GetReplicationConfiguration",
            "s3:ListAccessPoints",
            "s3:ListAllMyBuckets",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTagsForResource",
            "sns:ListTopics",
            "sqs:GetQueueAttributes",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:ListQueueTags",
            "sqs:ListQueues",
            "sso:DescribePermissionSet(2)",
            "sso:GetInlinePolicyForPermissionSet",
            "sso:GetPermissionsBoundaryForPermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListAccountsForProvisionedPermissionSet",
            "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
            "sso:ListInstances",
            "sso:ListManagedPoliciesInPermissionSet",
            "sso:ListPermissionSets", 
            "tag:GetResources",
            "tag:GetTagKeys"
        ]
    },
    {
        "Effect":"Allow",
        "Action":[
            "apigateway:GET"
        ],
        "Resource":[
            "arn:aws:apigateway:*::/apis",
            "arn:aws:apigateway:*::/apis/*/routes",
            "arn:aws:apigateway:*::/apis/*/stages",
            "arn:aws:apigateway:*::/apis/*/stages/*",
            "arn:aws:apigateway:*::/clientcertificates/*",
            "arn:aws:apigateway:*::/restapis",
            "arn:aws:apigateway:*::/restapis/*/authorizers",
            "arn:aws:apigateway:*::/restapis/*/authorizers/*",
            "arn:aws:apigateway:*::/restapis/*/documentation/versions",
            "arn:aws:apigateway:*::/restapis/*/resources",
            "arn:aws:apigateway:*::/restapis/*/resources/*",
            "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
            "arn:aws:apigateway:*::/restapis/*/stages",
            "arn:aws:apigateway:*::/restapis/*/stages/*",
            "arn:aws:apigateway:*::/tags/*",
            "arn:aws:apigateway:*::/vpclinks"
        ]
    }
    ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Resource":"*",
        "Action":[
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetEventSelectors",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:ListTags",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:ListTagsForResource",
            "config:BatchGetAggregateResourceConfig",
            "config:BatchGetResourceConfig",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeGlobalTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListBackups",
            "dynamodb:ListGlobalTables",
            "dynamodb:ListStreams",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:Describe*",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayMulticastDomains",
            "ec2:DescribeTransitGatewayPeeringAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:GetManagedPrefixListAssociations",
            "ec2:GetManagedPrefixListEntries",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayMulticastDomainAssociations",
            "ec2:GetTransitGatewayPrefixListReferences",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "elasticloadbalancing:Describe*",
            "es:Describe*",
            "es:ListDomainNames",
            "es:ListElasticsearchInstanceTypeDetails",
            "es:ListElasticsearchVersions",
            "es:ListTags",
            "events:Describe*",
            "events:List*",
            "events:TestEventPattern",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:Get*",
            "iam:List*",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "identitystore:ListUsers(1)",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:GetAccountSettings",
            "lambda:GetFunctionConfiguration",
            "lambda:GetFunctionEventInvokeConfig",
            "lambda:GetLayerVersionPolicy",
            "lambda:GetPolicy",
            "lambda:List*",
            "logs:Describe*",
            "logs:ListTagsLogGroup",
            "organizations:Describe*",
            "organizations:List*",
            "rds:Describe*",
            "rds:DownloadDBLogFilePortion",
            "rds:ListTagsForResource",
            "s3:GetAccelerateConfiguration",
            "s3:GetAccessPoint",
            "s3:GetAccessPointPolicy",
            "s3:GetAccessPointPolicyStatus",
            "s3:GetAccountPublicAccessBlock",
            "s3:GetAnalyticsConfiguration",
            "s3:GetBucket*",
            "s3:GetEncryptionConfiguration",
            "s3:GetInventoryConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetMetricsConfiguration",
            "s3:GetObjectAcl",
            "s3:GetObjectVersionAcl",
            "s3:GetReplicationConfiguration",
            "s3:ListAccessPoints",
            "s3:ListAllMyBuckets",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTagsForResource",
            "sns:ListTopics",
            "sqs:GetQueueAttributes",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:ListQueueTags",
            "sqs:ListQueues",
            "sso:DescribePermissionSet(2)",
            "sso:GetInlinePolicyForPermissionSet",
            "sso:GetPermissionsBoundaryForPermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListAccountsForProvisionedPermissionSet",
            "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
            "sso:ListInstances",
            "sso:ListManagedPoliciesInPermissionSet",
            "sso:ListPermissionSets", 
            "tag:GetResources",
            "tag:GetTagKeys"
        ]
    },
    {
        "Effect":"Allow",
        "Action":[
            "apigateway:GET"
        ],
        "Resource":[
            "arn:aws-us-gov:apigateway:*::/apis",
            "arn:aws-us-gov:apigateway:*::/apis/*/routes",
            "arn:aws-us-gov:apigateway:*::/apis/*/stages",
            "arn:aws-us-gov:apigateway:*::/apis/*/stages/*",
            "arn:aws-us-gov:apigateway:*::/clientcertificates/*",
            "arn:aws-us-gov:apigateway:*::/restapis",
            "arn:aws-us-gov:apigateway:*::/restapis/*/authorizers",
            "arn:aws-us-gov:apigateway:*::/restapis/*/authorizers/*",
            "arn:aws-us-gov:apigateway:*::/restapis/*/documentation/versions",
            "arn:aws-us-gov:apigateway:*::/restapis/*/resources",
            "arn:aws-us-gov:apigateway:*::/restapis/*/resources/*",
            "arn:aws-us-gov:apigateway:*::/restapis/*/resources/*/methods/*",
            "arn:aws-us-gov:apigateway:*::/restapis/*/stages",
            "arn:aws-us-gov:apigateway:*::/restapis/*/stages/*",
            "arn:aws-us-gov:apigateway:*::/tags/*",
            "arn:aws-us-gov:apigateway:*::/vpclinks"
        ]
    }
    ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.

Connecting Single AWS Source Accounts

If you do not want to add all accounts in your organization, you can add individual accounts. SailPoint provides a CloudFormation template to create a role and CloudTrail allowing access to the objects in your Amazon S3 bucket.

To connect a single account using CloudFormation:

  1. In the AWS console, select CloudFormation > Stacks.

  2. In Stacks, select the Create stack dropdown menu and choose With new resources (standard).

    Stack creation window to specify the template type and source.

  3. Select Template is ready and Upload a template file.

  4. Based on your organization configuration, select the appropriate template:

    Use Case Template
    Use an existing CloudTrail with an existing S3 bucket aws-onboarding-existing-cloudtrail.json
    Create a CloudTrail to use with an existing S3 Bucket aws-onboarding-nobucket.json
    Create a CloudTrail and an S3 bucket aws-onboarding.json
    Use Case Template
    Use an existing CloudTrail with an existing S3 bucket gov-aws-onboarding-existing-cloudtrail.json
    Create a CloudTrail to use with an existing S3 Bucket gov-aws-onboarding-nobucket.json
    Create a CloudTrail and an S3 bucket gov-aws-onboarding.json

    Caution

    If you create an S3 bucket for CloudTrail, CIEM will not have historical usage data, and some of the capabilities will not work.

  5. Name your bucket.

    • If you are using an existing S3 bucket, enter the name in the BucketName field. This can be found in the S3 bucket column of your Trails.

    • If you are creating an S3 bucket, name the bucket for collecting CloudTrail logs.

  6. Enter a unique external ID. Keep this information secret. You will use this when creating an IAM role.

  7. The template populates the other fields. Continue using the stack wizard, setting the Stack failure option to Roll back all stack resources.

  8. Complete the setup and select Create stack.

You should verify your configuration before connecting your source.

Connecting AWS Manually

If you do not have access to CloudFormation, you can manually add AWS accounts within your organization.

Important

Connecting AWS manually can leave gaps in your data. SailPoint strongly recommends using CloudFormation templates with AWS Organizations or single AWS source accounts.

Creating an IAM Role

You must create an identity and access management role on your Amazon Web Services source account where you will attach the policy defining what data CIEM can read. If you are using manual IAM roles with an AWS organization, you must repeat this process to create a role in each subaccount.

  1. Sign in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create role.

  4. Select AWS account and choose the Custom trust policy option.

  5. Paste the following code in the Custom trust policy window, replacing <externalId> with yours:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    {
   "Version": "2012-10-17",
   "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
               "AWS": [
                  "arn:aws:iam::874540850173:role/ciem_universal"
               ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
               "StringEquals": {
                  "sts:ExternalId": "<externalId>(1)"
            }
         }
      }
   ]
}
    1. Replace with your external ID. 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    {
   "Version": "2012-10-17",
   "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
               "AWS": [
                  "arn:aws:iam::229634586956:role/ciem_universal"
               ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
               "StringEquals": {
                  "sts:ExternalId": "<externalId>(1)"
            }
         }
      }
   ]
}
    1. Replace with your external ID.

  6. Confirm the trust policy contains the correct role ARN:

    • arn:aws:iam::874540850173:role/ciem_universal for Commercial accounts
    • arn:aws-us-gov:iam::229634586956:role/ciem_universal for GovCloud accounts

  7. Select the Require external ID option and enter your external ID in the External ID field. You will need this later to connect your AWS source account with CIEM.

  8. Select Next. You will be taken to the Add Permissions section.

  9. Select Create policy and choose the JSON tab.

  10. Replace the JSON text with the required permissions.

  11. Select Next: Tags. Tags are optional.

  12. Select Next: Review. Enter an appropriate name and description for the role.

  13. Select Create policy. The new policy will be displayed in the list of IAM policies.

  14. Select the checkbox next to the new policy and select Next.

  15. Enter a role name and details. Review the information and select Create Role. You will be redirected to the Roles page.

  16. Search for and select the new role to view its summary. You will need the following information from the summary page to connect your AWS source accounts with CIEM:

    • Role ARN
    • Select Trust relationships, and under Condition, locate the Key ExternalId generated for the role.

  17. If you are creating manual IAM roles to work in an AWS organization, repeat the IAM role creation process for each subaccount.

    Caution

    If you do not include a new role in every subaccount, you may have gaps in your data.

Creating a Managed IAM Policy

In order to grant CIEM access to your CloudTrail events, you must create a managed IAM policy.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy.

  3. Add the following permissions to the JSON file, editing the name of the CloudTrail bucket:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*(1)" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName(2)" 
        } 
    ] 
}
    1. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
    2. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws-us-gov:s3:::YourCloudtrailBucketName/*(1)" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws-us-gov:s3:::YourCloudtrailBucketName(2)" 
        } 
    ] 
}
    1. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
    2. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy. Enter a name and optional description.

  5. Select Create policy. This directs you to the policy overview page.
  6. Select the radio button next to the policy name.
  7. Select the Policy actions dropdown menu and choose Attach to attach the policy to users, groups, or roles in your accounts.
  8. Select Attach policy to assign the new managed policy to the role you created previously.

Enabling CloudTrail Logging

After you've created a role with sufficient permissions, you'll need to enable CloudTrail event processing and log delivery. You can use an existing S3 bucket to store the CloudTrail logs or create a new one. CIEM supports up to 150 cloud trails.

  1. In the Amazon Web Services Management console, select Services and search for "CloudTrail".
  2. Select Trails to access the CloudTrail service page.

  3. Select the trail name you want to use or select Create trail to create an S3 bucket for your CloudTrail logs.

  4. Under Storage location, select Create new S3 bucket.

    Note

    Save your CloudTrail name as you'll need it to register your AWS source cloud accounts.

  5. Expand Additional settings.

  6. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket.
  7. Complete your trail configuration and select Create trail.

  8. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

  9. Select Save changes.

Verifying Your Configuration

When you have finished connecting your AWS accounts, you should verify the configuration was successful and gather the details you need to connect your AWS source in IdentityNow with CIEM.

To verify your configuration:

  1. In the AWS Console IAM service, select Roles.

  2. Search for the IAM role created by CloudFormation. Select the role and save its name and ARN. For example, arn:aws:iam::443361460944:role/SailPointCIEMAuditRoleStack.

  3. Select the Trust relationships tab and confirm the principal displays:

    • 874540850173 for Commercial accounts
    • 229634586956 for GovCloud accounts

  4. Select Policies and search for the IAM role created by CloudFormation. For example, "SailPointCIEMAuditPolicy".

  5. Select Permissions and verify the bucket name in the JSON.

  6. Ensure the policy allows s3:GetBucketLocation and s3:ListBucket actions on the CloudTrail bucket, and the s3:GetObject action on the S3 bucket contents.

You can also view a summary of these details:

  1. Go to CloudFormation > Stacks.
  2. Select the stack.

  3. Choose the Parameters tab to view the key values for your configuration.

    AWS Stack details parameters tab with key values related to the AWS configuration.

Use this information to connect your AWS source with CIEM.