Connecting to AWS

EmpowerID includes an Amazon Web Services (AWS) connector that allows organizations to bring the data (user accounts, groups, roles and computers) in their AWS domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories AWS, it creates an account in the EmpowerID Identity Warehouse for each Amazon user account, a computer for each Amazon computer, a group for each Amazon group, and a special group called an RBAC-Only group for each Amazon role.

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Amazon accounts for any person within your organization based on their role. For more information on Resource Entitlements, see Configuring Provisioning Policies.

Prerequisites: In order to connect EmpowerID to AWS, you must have an AWS domain with an account that EmpowerID can use to connect to AWS. (EmpowerID recommends using a dedicated service account.) At a minimum, this account must have a policy with permission to read the user, group and computer data in AWS. If you plan to use EmpowerID to provision, deprovision and modify this data in AWS, the profile needs to have create, update and delete permissions as well. In addition, you must provide EmpowerID with the following information:
  • Access Key ID for the service account
  • Secret Access Key for the service account
  • AWS Site Name
  • AWS TenantID

To connect EmpowerID to AWS

  1. Log in to the EmpowerID Management Console as an administrator.
  2. From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
  3. In Configuration Manager, expand the User Directories node in the navigation tree, and then click Account Stores.

  4. Click the Add New button located above the Account Stores grid.
  5. In the Add New Security Boundary window that opens, select the Amazon AWS Security Boundary type from the drop-down list and then click OK.


  6. In the Account Store Details screen that appears, do the following:
    1. Type the address to your AWS site in the Site Name field.
    2. Type the Access Key ID generated by Amazon for the service account in the Client Key field.
    3. Type the Secret Access Key generated by Amazon for the service account in the Client Secret field.
    4. Type the TenantID for your AWS site in the TenantID field.
    5. Click Save.
    If the values entered in the Account Store Details screen are incorrect, EmpowerID will not be able to authenticate to Amazon and the connection will fail.

    EmpowerID creates the Amazon connection and opens the Account Store Details screen for the Amazon account store. This screen contains settings for configuring how EmpowerID manages the Amazon account store. Configuring this screen is discussed in the next section.

To configure EmpowerID for the account store

Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more than one user account in the account store, during inventory do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?

For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.

  • In the General pane of the Account Store Details screen, tick the red sphere to a green check box for each of the following settings that you want to enable:
    • Allow Person Provisioning - If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
    • Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
    • Allow RET De-Provisioning - If enabled, EmpowerID removes any Resource Entitlements received by the AWS users if those users no longer meet the criteria for those resources.
  • In the Inventory pane of the Account Store Details screen for the AWS account store, do the following:
    1. If you are provisioning people during inventory, toggle the icon to the right of the Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box.
    2. If you are provisioning people during inventory, click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each person.

    3. Click OK to close the Business Role Selector.
    4. If you are provisioning people during inventory, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each person.
    5. Click OK to close the Location Selector.
    6. Enable inventory by toggling the red sphere to the left of Enable Inventory to a green check box.
    7. After several minutes, refresh the Account Store data by pressing the Refresh Data button located a the top of the Account Store Details screen. You should see that EmpowerID has inventoried the accounts in your AWS domain and—if you enabled Person Provisioning at Inventory—provisioned the requisite number of EmpowerID Persons for those accounts.

    To confirm inventory

    1. Log in to the EmpowerID Web application as an administrator.
    2. From the Navigation Sidebar, navigate to Change Manager by expanding System Logs and clicking Audit Log.
    3. Type AWS in the Search field and press ENTER. You should records for your AWS users approved by EmpowerID System.
    4. If you have AWS groups, click the Group Membership Changes tab and search for your AWS groups. You should those groups and the group members.
    5. From the Navigation Sidebar, navigate to AWS Manager by expanding Pages and clicking AWS Manager. You should see a dashboard displaying your AWS account store information.
    6. Click through each tab of AWS Manager. You should the information relevant to that tab, as well as an Actions panel with a list of actions that you can perform against the selected resource or resource type. For example, if you select the EC2 Instances tab, you can view information about your EC2 instances, delete or disable those instances as well create new instances, among other things.
    7. You can search for your AWS users, groups and computers in other pages, such as User Manager, Person Manager (if you provisioned people from the AWS accounts), Computer Manager, etc. For example, the following image shows the AWS user accounts in User Manager. However, as AWS Manager provides everything needed to manage AWS in one location, it is recommended over these other pages.