AWS Partner Network (APN) Blog

Access Visibility and Governance for AWS with SailPoint Cloud Access Management

By Adam Creaney, Global Partner Solution Lead – SailPoint

Connect with SailPoint-1

The process of ensuring the right people have the right access at the right time to cloud resources can be a challenge. Many organizations lack visibility into cloud identities, leading to excessive, unused, or noncompliant access patterns.

In a recent survey by SailPoint of executives and governance professionals, 97% of companies have experienced infrastructure as a service (IaaS) access issues, and a staggering 91% of organizations still require manual processes to prepare user access reports to their IaaS environments.

SailPoint Cloud Access Management is an identity-focused enterprise solution to certify, provision, and manage the cloud access lifecycle. It delivers a consolidated view of access across all users, applications, and data—including access to their cloud platforms and the workloads running on them.

SailPoint identifies inappropriate, unauthorized, and unused access in Amazon Web Services (AWS) to help organizations effectively secure their cloud infrastructure and related workloads.

SailPoint Technologies is an AWS Security Competency Partner whose identity governance enables enterprises to create a more secure and compliant environment through governed access of AWS.

Gaining Visibility

In order to provide a complete, 360-degree view of identity—for all users, all applications, and all data—the first step is discovery.

For AWS, this discovery involves SailPoint collecting metadata around identity and access management (IAM), policy, and management resources to determine effective access to cloud resources.

At a high level, AWS account management events are delivered by AWS CloudTrail to an Amazon Simple Storage Service (Amazon S3) bucket, where they can then be retrieved and processed by SailPoint.

Onboarding AWS accounts into SailPoint Cloud Access Management can be done by onboarding individual accounts, or via the recommended route of onboarding AWS Organizations.

When onboarding AWS Organizations, AWS CloudFormation templates are provided that will create the necessary stack set, stacks, IAM roles, and managed IAM policies required to enable read access to the necessary accounts.

Connecting via a single AWS account is similar—simply create a new stack via CloudFormation and use SailPoint-provided templates that will utilize an existing or create a new AWS CloudTrail and Amazon S3 bucket, as well as create the necessary IAM role.


Figure 1 – High-level solution architecture.

Once the deployment is registered with SailPoint, identity administrators can explore and search through the discovered identities and objects. Discovered resource objects can include things like instances, databases, object stores, and encryption keys.

Identities in AWS are anything that may have access to a discovered object. This includes traditional IAM users and groups, but also IAM roles, services accounts, and AWS Lambda functions. Federated users and groups from a third-party identity provider (IdP) are also visible.


Figure 2 – Identity cloud access overview.

From a security perspective, it’s important to understand what an identity can access, as well as how that access is being used. For some cloud objects, access is further defined by permissions (does this identity have read, write, or admin rights for a resource?) and which of these are actively being utilized.

Over time, it’s typical that an organization will encounter “entitlement creep” or the gradual over-accumulation of access on identities. This violates one of the core principles of Zero Trust security on AWS: minimizing the impact that could occur if an entity is compromised or breached.

SailPoint alerts and reports on unused role assignments, unused services, and unused permissions across an AWS deployment, helping to reduce creep.

In addition to alerting based on an identity having too much unused access, it’s equally important to understand and alert on suspicious activity when the access is being used. Activity-based anomalies occur when an identity utilizes access in a non-typical way.

SailPoint utilizes artificial intelligence (AI) and machine learning (ML) to train a model to recognize and alert when the type and volume of access falls outside normal parameters.

Enterprise-Ready Identity Governance

Understanding unused access and suspicious access activity is critical for organizations that want to understand the current state of their cloud infrastructure. But what steps can they take to actively reduce potential threats? This is done by properly managing the lifecycle of access to cloud resources and reviewing access on a regular basis.

When a new employee is hired, for example, they require a base set of accounts to be created and access to be assigned to them in order to be productive. For AWS, this means creating a new IAM user and then assigning groups and/or policies to that new user.

When that employee changes job, project, or team, new access may be needed. More importantly is that their old access needs to be removed. When an employee departs an organization, all access needs to be revoked. This is called lifecycle-based provisioning and proper implementation can reduce the risk of permission sprawl over time.

Certifications are another tool that can be used to reduce the amount of over-entitled identities. Certification is the process of reviewing all of the access assigned to an identity and attesting it is appropriate. If the access is no longer justified, the access is removed, bringing that user back into compliance. SailPoint provides the ability to include AWS groups and policies in these user certifications.

Provisioning and certification are just two of the governance use cases the integration between SailPoint and AWS supports. Utilizing the AWS IAM APIs, SailPoint provides the following technical capabilities:

  • Manage IAM users: Aggregate, create, update, enable, disable, and change passwords.
  • Assign access: Add and remove groups, AWS-managed policies, customer-managed policies, and inline policies to IAM users.
  • Manage IAM groups: Aggregate, create, and update IAM groups.
  • AWS-managed policy management: Aggregate and refresh AWS-managed policies.
  • Customer-managed policies: Aggregate, refresh, and create customer-managed policies.
  • Inline policies: Aggregate and refresh inline policies.
  • Role management: Aggregate, refresh, update (add/remove AWS- or customer-managed policies from an IAM role).
  • Role access: Add and remove AWS- or customer-managed policies from IAM roles.
  • Policies: AWS, customer, and inline policies displayed as direct permissions.
  • Trust policies: Trust policies are displayed as direct permissions for IAM roles, for the purpose of showing how users can elevate access within a single account, across accounts, and even across providers (federated).

The SailPoint Identity Platform is a multi-tenant software-as-a-service (SaaS) solution natively platformed on AWS that operates as the core of a modern identity security strategy.

It provides the deep governance capabilities required by the world’s largest and most complex IT environments.


Figure 3 – SailPoint Identity Security Platform.


SailPoint and AWS deliver scalable, AI-driven identity governance for any AWS cloud environment. SailPoint is a leader in identity security that harnesses the power of AI/ML to deliver the intelligence, automation, and integration needed to manage the most complex cloud enterprises.

Together, SailPoint and AWS enable cloud migration and digital acceleration knowing that unstructured data, infrastructure resources, workforce identities, and applications have the needed security posture to ensure business continuity and efficiency. This is all of the foundational elements you need to enforce Zero Trust security on AWS.

For more information on SailPoint Cloud Access Management, see the datasheet. To learn more about how SailPoint’s integration with AWS protects your mission critical AWS resources, visit the SailPoint partner page.

The content and opinions in this blog are those of the third-party author and AWS is not responsible for the content or accuracy of this post.


SailPoint – AWS Partner Spotlight

SailPoint Technologies is an AWS Security Competency Partner whose identity governance enables enterprises to create a more secure and compliant environment through governed access of AWS.

Contact SailPoint | Partner Overview | AWS Marketplace