AWS Partner Network (APN) Blog
Using SailPoint with Amazon EventBridge to Extend Your Governance Platform
By Sarah Fallah-Adl, Partner Solutions Architect – AWS
By Roy Rodan, Sr. Partner Solutions Architect – AWS
SailPoint |
In today’s highly complex and dynamic application ecosystem, in addition to a growing virtual workforce, it’s imperative for organizations to have an automated system in place to handle security and compliance.
Event-based notifications enable developers to build rich integrations quicker. This integration, in turn, helps customers connect to various applications without a significant amount of coding or development work.
In this post, we will explore how SailPoint has integrated with Amazon EventBridge to solve various use cases for their customers.
A recognized leader in Identity Governance and Administration (IGA) by Gartner, SailPoint Technologies provides a platform to build custom workflows and integrations to secure access and manage every type of identity.
This platform, SailPoint IdentityNow, is a software-as-a-service (SaaS) solution built on Amazon Web Services (AWS) and available on AWS Marketplace.
“As a strategic partner of AWS, SailPoint is continuously expanding our AWS integrations to ensure that our mutual customers benefit from a best-in-SaaS identity-centric approach to securing the enterprise,” says Eric Yuan, Vice President of Global Strategic Partners at SailPoint.
“With SailPoint’s Amazon EventBridge integration, organizations can now spend less time on technical complexity and more time automating enterprise identity security,” adds Eric.
SailPoint is an AWS Security Competency Partner and Amazon EventBridge integration partner. SailPoint’s identity governance enables enterprises to create a more secure and compliant environment through governed access to AWS.
What is Amazon EventBridge?
Amazon EventBridge is a fully managed service that removes the friction of writing “point-to-point” integrations by letting you easily access changes in data that occur in both AWS and SaaS applications via a scalable, central stream of events.
With EventBridge, you get a simple programming model where event publishers are decoupled from event subscribers. This allows you to build loosely coupled, independently scaled, and highly reusable event-driven applications.
SailPoint Event Triggers is an integration with Amazon EventBridge and SailPoint’s APIs to send event notifications to the customer to provide customization capabilities.
Example integrations include 1) setting up custom notifications in Slack any time a new employee joins your organization, or 2) logging into Amazon CloudWatch every time a new identity is created.
There are currently 28 targets you can choose from, but for the following example we will use Amazon CloudWatch as the destination.
The integrations follow these steps:
- SailPoint sends an event to Amazon EventBridge when a new identity is created.
- Amazon EventBridge bus receives the event.
- Event matches an EventBridge rule.
- That matched event is sent to Amazon CloudWatch.
Alternatively, the event could be sent to Amazon Simple Notification Service (SNS) to send a simple text message or email. AWS services such as Amazon Simple Queue Service (SQS), Amazon Kinesis Data Streams, and AWS Lambda can also be leveraged to create custom workflows.
How the SailPoint Integration Works
Let’s walk through the steps of creating a workflow with SailPoint and Amazon EventBridge.
In this example, we’ll set up EventBridge to be triggered when a new identity is created. The destination will be Amazon CloudWatch so you can visualize the results. This is an example of how you can keep track of all incoming events and set the destination accordingly.
To create an implementation, choose the Partner Event Source tab under the Amazon EventBridge service section in your AWS account.
Next, search for SailPoint and select the page to learn how to set up an integration. This is the page the Partner Event Source will populate on once it’s created.
Figure 1 – Searching and setting up SailPoint in Amazon EventBridge.
In the SailPoint user interface (UI), enter the AWS account and AWS region to create the Partner Event source in your account. This will propagate in the AWS account under Partner Event Source in the EventBridge page.
The status of the Partner Event Source goes from pending to active, and the name of the event bus updates to match the partner event source name.
Next, you’ll have to subscribe to a trigger so your integration can take action when the event occurs. SailPoint has a range of trigger events to choose from, and each has a number of potential uses. Please refer to the SailPoint documentation for the current list.
The trigger event for this example would be triggering a response when a new identity is created.
Figure 2 – Select the Identity Created SailPoint triggers.
Now that you’ve configured an event bus, the next step is to attach rules to orchestrate the flow of events. Rules allow matches against values in the metadata and payloads of the events ingested, and determine which events should get routed to which destinations.
When you create a rule:
- The rule has to be created in the same region as the target.
- Target/destination must be specific in the rule. Targets allow you to invoke a Lambda function, put a record on an Amazon Kinesis Data Stream, and more.
In this example, we’ll set an event trigger to invoke the Amazon CloudWatch rule that was created, and then send the event payload to CloudWatch, which is used to visualize the event’s metadata.
Figure 3 – Selecting targets for an Amazon EventBridge rule.
After you configured Amazon CloudWatch to be the target of the rule, the logs populate once an event triggers the workflow. The log that’s populated as a result of the event can be selected to see the specific metadata for the event.
Combining SailPoint Event Triggers with CloudWatch gives access the performance and operational data of a company. In this example, invocations from creating an identity are available to visualize and use for analytical purposes.
Figure 4 – CloudWatch logs populated from the Amazon EventBridge trigger.
Additional Use Cases
The following are additional use cases for SailPoint Event Triggers. For an up-to-date list of triggers, please to the SailPoint documentation.
- Smart notifications: Create a Slack notification for when a new employee starts at your organization or changes role during their employment.
- Custom workflows: Automatically reject access into an application where the requestor is deemed to be too risky to obtain access. Automatically kick off a certification campaign for their access if an employee’s manager and department changes.
- Quality control: Monitor on a daily basis how many inactive identities you have with active accounts and take immediate action to resolve. Receive an automatic alert as soon as the aggregation process fails so you can address right away.
- Access approval options: Customize the approval process by adding the head of security to the approver list for any high sensitive access requests.
Summary
In this post, we showed you the benefits of combining SailPoint identity security with Amazon EventBridge to automate security and compliance.
We shared an example using Amazon CloudWatch to demonstrate how an integration helps a company keep track of critical identity-related events.
For more information about SailPoint, please visit SailPoint AWS integrations page, or check out the recent AWS Howdy Partner episode on Twitch and demonstration that we conducted using SailPoint.
SailPoint – AWS Partner Spotlight
SailPoint is an AWS Security Competency Partner and Amazon EventBridge integration partner. SailPoint’s identity governance enables enterprises to create a more secure and compliant environment through governed access to AWS.
Contact SailPoint | Partner Overview | AWS Marketplace
*Already worked with SailPoint? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.