Amazon Web Services (AWS) integration

Integrate Identity Security Posture Management (ISPM) with your Amazon Web Services (AWS) organization.

Before you begin

You must have access to your AWS management account. To verify that you're signed in to the management account, perform the following steps:

  1. Sign in to your AWS account.
  2. Click your account name.
  3. Select Organization.

If you're in the management account, you can view the organization's hierarchy.

Create an IAM role in the management account

  1. Go to the AWS console of your management account and search for CloudFormation.
  2. Select Stacks.
  3. Click Create stack and select With new resources (standard) from the dropdown menu.
  4. In the Prerequisite - Prepare template section, select Template is ready.
  5. In the Specify template section, select Amazon S3 URL as the template source.
  6. Enter this URL: https://spera-prod-public.s3.us-west-1.amazonaws.com/integrations/aws/spera-prod-cloud-formation-0429d3.json
  7. Click Next.
  8. On the Specify stack details page, enter the stack name (for example, OktaISPMstack) and the external ID. Use the external ID provided by ISPM.
  9. Click Next.
  10. Scroll to the end of the Configure stack options page, and then click Next.
  11. Review the details on the page.
  12. Scroll to the end of the page, and then select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  13. Click Submit.
  14. Go back to CloudFormation Stacks.
  15. Check the status of your stack. You may have to wait for AWS to execute the stack. If the execution was successful, the status appears as CREATE_COMPLETE.

Create IAM roles in all member accounts

  1. Go to the AWS console and search for CloudFormation.
  2. Select StackSets.
  3. Optional. If a notification for enabling trusted access appears, click Enable trusted access.
  4. Click Create StackSet.
  5. In the Permissions section, select Service-managed permissions.
  6. In the Specify template section, select Amazon S3 URL as the template source.
  7. Enter this URL: https://spera-prod-public.s3.us-west-1.amazonaws.com/integrations/aws/spera-prod-cloud-formation-0429d3.json
  8. Click Next.
  9. Enter the name of the stack that you created earlier (for example, OktaISPMstack) and the external ID. Use the external ID provided by ISPM.

  10. Click Next.
  11. In the Execution configuration section, select Inactive and click Next.
  12. In the Deployment targets section, select Deploy to organization.
  13. Go to Auto-deployments Automatic deployment, select Enabled.
  14. In the Specify regions section, select US East (N. Virginia).
  15. Click Next.
  16. Review the details on the page.
  17. Scroll to the end of the page and select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox.
  18. Click Submit. If the execution is successful, the status appears as SUCCEEDED.

Don't delete the Stack and the StackSet when you finish these steps. You need resources that were generated for the integration.

Share the parameters with ISPM

  1. Ensure that you're signed in to the management account.
  2. Click your organization name to view the account ID.
  3. In the Identity Security Posture Management console, go to SettingsData connectors.

  4. Select Amazon Web Services.
  5. Enter the Account ID.
  6. Click Submit.
  7. Select the accounts (tenants) that ISPM should monitor.

  8. Click Continue.