Skip to content

Connecting AWS and CIEM

Once you have configured your AWS account, you can connect it to IdentityNow to display the total effective access users have to your cloud systems and resources. To display this data, you must use the AWS IAM and CIEM AWS cloud governance connectors.

AWS IAM connector Allows you to manage your AWS IAM users and groups in IdentityNow.

If your organization has licensed a SailPoint cloud management solution, it will also gather data about the cloud access granted to users through policies, roles, organization unit, and AWS accounts.
CIEM AWS cloud governance connector Works with your AWS IAM connector to collect cloud resource data and display the total access an identity has to your cloud systems.

FedRamp Limitations

CIEM FedRamp customers can register a maximum of 650 AWS member accounts.

You may connect your AWS IAM and CIEM AWS cloud governance sources in any order.

After you've connected and aggregated your cloud accounts and entitlements, you will mark your IAM and AWS Identity Center (if using) entitlements as cloud enabled. This will allow you to view the cloud access granted through entitlements and include those entitlements in certification campaigns.

Connecting AWS IAM

Follow the directions to connect your AWS IAM governance source.

You will then use the CIEM AWS cloud governance connector to display all access users have to your cloud resources.

Connecting AWS Cloud Governance

The CIEM AWS source pulls daily data about the cloud resources users can access. Users can be IAM, AWS Identity Center, Azure IDP, or Okta IDP.

You can use the information from verifying your configuration to register CIEM and IdentityNow:

  1. Go to Admin > Connections > Create New.
  2. Find and select the CIEM AWS source type.
  3. Enter a source name.
  4. Enter a description for your source.
  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
  6. (Optional) Select a governance group for source management.
  7. Select Connection Settings.
  8. Enter the Role ARN for the role generated when creating an IAM role.
  9. Enter the External ID generated when creating an IAM role.
  10. (Optional) Enter the CloudTrail ARN for an organization or individual member account.

    • If your organization is using a different CloudTrail events S3 bucket from this member account, enter the Account ID for the CloudTrail Bucket Account you are using.
  11. If the source uses a single account (as opposed to the organization account), select the Single Account toggle.

  12. Select Save.
  13. Select Review and Test.
  14. Review the configuration details and select Test Connection. A successful test is required for CIEM to gather data for this source.

    Note

    If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

After a successful test connection, you can set the source scope or move on to aggregating your cloud accounts and entitlements.

Setting Source Scope

By default, CIEM reads and automatically discovers changes to your cloud infrastructure, which are displayed in the Cloud Scopes section of your CIEM source configuration. You can choose to exclude scopes to prevent CIEM from including data for those accounts.

To change the scope of your included source data:

  1. In the CIEM AWS source, select Cloud Scopes under Aggregation and Provisioning.
  2. Use the checkboxes to change which accounts are included. Removing a scope disables Auto-Include Scopes.
  3. Select Save.

CIEM will now only read and include data from your selected scopes. When Auto-Include Scopes is disabled, new and deleted accounts in your cloud system will be detected, but they will not be automatically included in your CIEM data until you select them individually or reenable Auto-Include Scopes.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by CIEM. This is separate from aggregation.

Aggregating Cloud Accounts and Entitlements

The CIEM AWS source aggregates AWS Identity Center accounts and entitlements from AWS Identity Center to display in IdentityNow.

CIEM calls the following Identity Store and Identity Store SSO APIs:

  • ListUsers
  • ListGroups
  • ListGroupMemberships
  • ListInstances
  • ListPermissionSets
  • DescribePermissionSet
  • ListAccountsForProvisionedPermissionSet
  • ListAccountAssignments
  • GetInlinePolicyForPermissionSet
  • GetPermissionsBoundaryForPermissionSet
  • ListManagedPoliciesInPermissionSet
  • ListCustomerManagedPolicyReferencesInPermissionSet

AWS Identity Center data is displayed:

  • In the Accounts tab of the CIEM AWS source.

    Note

    The account ID on a CIEM AWS source is the account ID associated with a user's AWS Identity Center access, not their AWS IAM account ID.

  • In the Entitlements tab of the CIEM AWS source under ICAccountAssignments.

  • In the AWSAccountSet attribute on the identity's Accounts tab.

If you are using AWS Identity Center, you must also mark Identity Center entitlements on the CIEM AWS source.

Marking AWS Cloud-Enabled Entitlement Types

When your entitlements are pulled from your AWS cloud environment, you must mark the entitlement types that relate to cloud access. This will display cloud access details for identities with those entitlements in IdentityNow. It will also allow certification campaign reviewers to view the cloud access details on cloud entitlements included in certification campaigns for AWS cloud infrastructure users.

If you use AWS Identity Center, you must mark those entitlements as cloud enabled on the CIEM AWS source.

Marking AWS IAM Entitlements

On the AWS IAM source, you must mark the Groups, AWS Managed Policy, Customer Managed Policy, and Inline Policy entitlements that relate to cloud access.

To mark entitlements as cloud enabled on the AWS IAM source:

  1. Go to Admin > Connections > Sources.
  2. Select the AWS IAM source.
  3. Select the Import Data tab and choose Entitlement Types.
  4. Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:
    • Groups
    • AWSManagedPolicy
    • CustomerManagedPolicy
    • InlinePolicy
  5. Select Update.

If you are using AWS Identity Center, you must also mark your AWS Identity Center entitlements as cloud enabled.

Marking AWS Identity Center Entitlements

To mark AWS Identity Center entitlements as cloud enabled on the CIEM AWS source:

  1. Go to Admin > Connections > Sources.
  2. Select the CIEM AWS source.
  3. Select the Import Data tab and choose Entitlement Types.
  4. Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:
    • Groups
    • ICAccountAssignment
  5. Select Update.

Viewing Effective Access to AWS Resources

After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.

Notes

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource in a . Your certifiers will still see how the resource was accessed, but may not have full activity data details.

Certifiers can also view the access paths between scoped objects like groups, policies, and projects granting the user access to the selected resource. They can view the direct access granted by the entitlement or all access paths to the resource. The entitlement access path is highlighted.

If a user has multiple of the same type of access at the same scope, such as multiple role assignments that lead to the same management group, your certifiers can select the node to display the access leading to the resource.

Refer your certifiers to Viewing Cloud Access Details in the User Help for guidance on viewing cloud access details.