Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/24/2024 10:44 AM
Scenario: Provide governance over AWS member accounts within an organization. Visibility into IAM users, roles, etc. within each member account.
Environment Background:
AWS environment: Organizations is being used.
1. A single “Landing” management account has been setup with permissions for programmatic access.
2. Each member account within the organization has been configured to trust the “Landing” management account via assume role permissions.
I followed the Saviynt AWS connector documentation for “Classic Integration” “Non-AWS”:
1. Created Connection, Security System and Endpoint for connection between EIC and Landing AWS Account.
2. Created connection between AWS Landing and Member AWS Accounts.
a. Created a new connection of type aws. Populated connection parameters: Connection Name, aws_access_key (from landing account), aws_access_secret_password” (from landing account), aws account_id (12 digit member account number), external_id, cross_account_role_arn.
Every new connection I create for each of the AWS member accounts, automatically creates a new security system and endpoint for that member account. Is that the intended way for this process to work or am I misunderstanding the directions. In this case would each one of these unique (security system, endpoint connection) count as an application? It seems like it should be 1 security system and multiple endpoints, 1 endpoint for the landing account and 1 endpoint or each member account.
I just want to confirm that this design is correct or if there’s another way to configure so that the design is cleaner.
07/26/2024 01:50 AM
Hello @RWolfe,
We are checking on it , we will get back to you shortly.
Thanks.
08/07/2024 12:12 PM
Any updates on this topic?
08/08/2024 08:40 AM - edited 08/10/2024 12:00 AM
Hello @RWolfe
Apologies for the delayed response. Yes this is the expected behavior. Each AWS connection will have one Endpoint and one Security System. When you bootstrap the workloads, each workload will then have its own Endpoint and Security System.
Thanks.