SailPoint AWS Aggregation

4 min readJan 16, 2025

SailPoint AWS Aggregation refers to the process of connecting and importing user identity data from AWS (Amazon Web Services) into IdentityIQ platform. This aggregation allows SailPoint to pull in AWS account information, roles, and permissions to establish visibility and control over user access and identity governance.

Key Steps in AWS Aggregation:

Authentication Setup: SailPoint uses AWS credentials or an assumed role to authenticate and retrieve data from AWS.
Connector Configuration: Set up the SailPoint AWS Connector, which allows SailPoint to communicate with AWS and pull identity and access data.
Aggregation Process:

Account Aggregation: Import AWS users and roles.
Permission Aggregation: Import IAM policies, permissions, and role-based access from AWS.

4. Access Review: Use the aggregated data in SailPoint to run access reviews, certify AWS roles and policies, and ensure compliance.

5. Policy Enforcement: Define and enforce governance policies based on the data imported from AWS, ensuring that access control aligns with organizational security standards.

6. Continuous Sync: Automate the aggregation process to continuously monitor AWS for changes in roles or user access.

Let’s move from End to End of Demo Step by Step. I will divide steps into two parts: first part for AWS side configurations and second part for SailPoint side configurations.

Part 01: AWS configurations

Step 01: Step up necessary policies in AWS account

Need to set up three policies in AWS side in order to access necessary resources in AWS.

SPAggregationPolicy

{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:ListSigningCertificates",
"iam:GetGroup",
"iam:ListSSHPublicKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListRolePolicies",
"iam:ListAccessKeys",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListGroups",
"iam:GetGroupPolicy",
"iam:GetUser",
"iam:GetRolePolicy",
"iam:GetLoginProfile",
"iam:ListEntitiesForPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListUserTags",
"iam:ListRoleTags",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}

SPOrganizationPolicy

{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"organizations:ListPoliciesForTarget",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"organizations:ListAccounts",
"organizations:ListTargetsForPolicy",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribePolicy",
"organizations:ListPolicies",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}

SPProvisioningPolicy

{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile",
"iam:CreateGroup",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:UpdateAccessKey",
"iam:AttachRolePolicy",
"iam:DeleteUser",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:DetachRolePolicy",
"iam:DeleteSigningCertificate",
"iam:AttachGroupPolicy",
"iam:DeleteRolePolicy",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile"
],
"Resource": "*"
}
]
}

Step 02: Create a Role with custom below trust policy

{
"Version": "2012–10–17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::292308060071:user/gmgunawardana@gmail.com"
},
"Action": "sts:AssumeRole"
}
]
}