Scenario: Provide governance over AWS member accounts within an organization. Visibility into IAM users, roles, etc. within each member account.
Environment Background:
AWS environment: Organizations is being used.
1. A single “Landing” management account has been setup with permissions for programmatic access.
2. Each member account within the organization has been configured to trust the “Landing” management account via assume role permissions.
I followed the Saviynt AWS connector documentation for “Classic Integration” “Non-AWS”:
1. Created Connection, Security System and Endpoint for connection between EIC and Landing AWS Account.
2. Created connection between AWS Landing and Member AWS Accounts.
a. Created a new connection of type aws. Populated connection parameters: Connection Name, aws_access_key (from landing account), aws_access_secret_password” (from landing account), aws account_id (12 digit member account number), external_id, cross_account_role_arn.
Every new connection I create for each of the AWS member accounts, automatically creates a new security system and endpoint for that member account. Is that the intended way for this process to work or am I misunderstanding the directions. In this case would each one of these unique (security system, endpoint connection) count as an application? It seems like it should be 1 security system and multiple endpoints, 1 endpoint for the landing account and 1 endpoint or each member account.
I just want to confirm that this design is correct or if there’s another way to configure so that the design is cleaner.
