You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md
+33Lines changed: 33 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,6 +102,27 @@ To view a video on how to configure and onboard AWS accounts in Permissions Mana
102
102
103
103
### 5. Set up an AWS member account
104
104
105
+
Select **Enable AWS SSO checkbox**, if the AWS account access is configured through AWS SSO.
106
+
107
+
Choose from 3 options to manage AWS accounts.
108
+
109
+
#### Option 1: Automatically manage
110
+
111
+
Choose this option to automatically detect and add to monitored account list, without additional configuration. Steps to detect list of accounts and onboard for collection:
112
+
113
+
- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs.
114
+
- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details.
115
+
- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection.
116
+
117
+
Any current or future accounts found get onboarded automatically.
118
+
119
+
To view status of onboarding after saving the configuration:
120
+
121
+
- Navigate to data collectors tab.
122
+
- Click on the status of the data collector.
123
+
- View accounts on the In Progress page
124
+
125
+
#### Option 2: Enter authorization systems
105
126
1. In the **Permissions Management Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**.
106
127
107
128
You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs.
@@ -136,6 +157,18 @@ To view a video on how to configure and onboard AWS accounts in Permissions Mana
136
157
1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Member Account Details** page, select **Next**.
137
158
138
159
This step completes the sequence of required connections from Azure AD STS to the OIDC connection account and the AWS member account.
160
+
161
+
#### Option 3: Select authorization systems
162
+
163
+
This option detects all AWS accounts that are accessible through OIDC role access created earlier.
164
+
165
+
- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs.
166
+
- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details.
167
+
- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection.
168
+
- Click Verify and Save.
169
+
- Navigate to newly create Data Collector row under AWSdata collectors.
170
+
- Click on Status column when the row has “Pending” status
171
+
- To onboard and start collection, choose specific ones from the detected list and consent for collection.
0 commit comments