> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/integrations/aws.md).

# AWS Identity Center

## Overview

**If your AWS integration was created before March 2025 and has an Access Key ID field in its setup page, see** [**AWS User-Based Access**](/integrations/aws-1.md)**.**

Cisco Identity Intelligence can connect directly to AWS environments that use [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) and collect data regarding user accounts, activity, and more.

## Requirements

This integration requires the following:

* AWS IAM Identity Center is the replacement for the former AWS Single Sign-on (SSO) functionality (see [article](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed)). <mark style="color:red;">**The use of AWS IAM Identity Center is a hard requirement for this integration.**</mark> User data will not be collected without it.
* IAM Identity Center is configured for your AWS enterprise account at a parent level (organization), with child AWS accounts managed by that IAM Identity Center instance (example shown below)
* If IAM Identity Center is configured separately or discretely with individual AWS account instances, then you will need to set up a CII AWS integration for each account.

<figure><img src="/files/R70UHtpLdgsqaPEgehKi" alt=""><figcaption></figcaption></figure>

## AWS Configuration

<mark style="color:orange;">**Note**</mark> - This connection method requires only a role and policy. For ease of deployment, these are provided as a CloudFormation template within the CII UI. If you are unable to apply CloudFormation templates in your environment, speak to your support representative about configuring the role and policy manually.

1. In Identity Intelligence, go to **Integrations**, click **Add Integration**, select **AWS**, and open the **Initial Setup** tab. Click **Generate External ID** and save the generated value.<br>

   <figure><img src="/files/KAuchQ50SignOmQ0mmA0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/aHBeoBUdfq6xcoyqUGW7" alt=""><figcaption></figcaption></figure>

2. On the same **Initial Setup** tab, download the CloudFormation template. You will need this template to create the CII role and policy in your AWS account. You do not need to be signed in to CII during the AWS part of the setup process. When you get back to CII you can click to add an AWS integration and pick up where you left off.
3. Navigate to the AWS CloudFormation service in the parent AWS account that has SSO confgured. Make sure you are in the same region where IdentityCenter is configured.<br>

   <figure><img src="/files/4rHoYqpVlnOJHf7GJeoj" alt=""><figcaption></figcaption></figure>
4. At the top right, click "create stack" and choose "with new resources" from the dropdown. On the next page, select "Use an existing template" and "Upload a template file" and then use the "Choose file" button to select the template you downloaded from CII. Click Next.<br>

   <figure><img src="/files/zOg9Edcj8zB99KSmtcri" alt=""><figcaption></figcaption></figure>
5. On the next page, choose a descriptive name for your stack and enter the CII-generated External ID. You will need the same External ID when finishing the setup in CII.<br>

   <figure><img src="/files/qw6VpkufgbCdf5gqmhP1" alt=""><figcaption></figcaption></figure>
6. None of the options on the next page need to change. Check off the acknowledgement at the bottom of the page and click "Next."<br>

   <figure><img src="/files/RN6pHU5tdDPqferfX7fN" alt=""><figcaption></figcaption></figure>
7. None of the options on the next page need to change. Scroll to the bottom and click "Submit."<br>

   <figure><img src="/files/3OeDE4qikOZvuNMvaJDU" alt=""><figcaption></figcaption></figure>
8. Wait until the following page shows that the stack creation is complete<br>

   <figure><img src="/files/mGjOPRF2xp5100HqG6HN" alt=""><figcaption></figcaption></figure>

### (Recommended) Configure AWS CloudTrail Lake

We recommend utilizing [AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) queries to overcome API rate limit issues when collecting CloudTrail SSO events using the CloudTrail Lookup API.

#### About CloudTrail Lake

Below are the reasons that we recommend using CloudTrail Lake:

* **Bypasses rate limits:** The CloudTrail LookupEvents API is subject to strict rate limits, which can result in incomplete event collection or delays—especially when monitoring at scale.
* **Provides continuous and reliable collections:** CloudTrail Lake is built for high-volume, scalable querying. With it, Identity Intelligence can collect all required events in near-time, without being blocked by API throttling.
* **Provides custom retention:** CloudTrail Lake allows you to choose how long to retain events (e.g., 1 year), aligning to your organization's compliance and audit needs.
* **Provides security and control:** You control exactly what is shared. Identity Intelligence will only receive the event types chosen within the eventDataStore you create for the purpose of this integration.

Note: AWS only charges for storage and bytes scanned during queries. For more info, refer to [AWS's CloudTrail pricing documentation](https://aws.amazon.com/cloudtrail/pricing/).

#### Configuration Steps

#### Set Up a CloudTrail Lake Event Data Store

1. Login to your AWS Console and go to **CloudTrail**.
2. In the left menu, select **Lake**.
3. Select **Data stores**, then select **Create**.
4. **Give your data store a name** (e.g., `CII-Integration-Events`).
5. **Choose the event types you would like to esnd to your data store:**
   * Under **Event types**, select **Management events (All)**.
   * Optionally, you can also add **Data events** or **Insights events** if you wish to include them.
6. **Set your retention period** (e.g., 1 year).
7. Select **Create**.

**Important:** Only events generated after the data store is created are included. Historical events prior to setup are not available in the new data store.

#### Configure the IAM Policy to Allow Access

You must create an IAM role for Identity Intelligence with cross-account access and attach a policy that lets Identity Intelligence query your CloudTrail Lake data store.

1. Go to **IAM** > **Roles** > **Create role**.
2. Choose **Another AWS account** and enter our AWS Account ID (provided by us).
3. If AWS asks for an External ID, use the same CII-generated External ID.
4. Attach the policy from the codeblock below. Be sure to replace the placeholders for `<region>`, `<your-account-id>`, and `<eventdatastore-id>` with your actual values.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:StartQuery",
        "cloudtrail:GetQueryResults",
        "cloudtrail:ListQueries",
        "cloudtrail:DescribeQuery"
      ],
      "Resource": "arn:aws:cloudtrail:<region>:<your-account-id>:eventdatastore/<eventdatastore-id>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:ListEventDataStores",
        "cloudtrail:GetEventDataStore"
      ],
      "Resource": "*"
    }
  ]
}


```

5. Complete role creation and take note of the **Role ARN**

## Identity Intelligence Configuration

1. Log in to Identity Intelligence. Navigate to the Integrations page, select the **Add Integration** button, select **AWS**, and open the **General** tab.

<figure><img src="/files/jouarTL89FYCEzXJOzhp" alt=""><figcaption></figcaption></figure>

2. Enter a display name for the integration
3. Enter the AWS region where the CloudFormation stack was created, in `us-east-2` format
4. Enter the 12-digit account ID of the AWS account where you set up the CloudFormation template
5. Enter the CII-generated External ID used in the CloudFormation stack. If you need to confirm it, it is visible in the CloudFormation stack parameters.
6. If you set up [CloudTrail Lake](#recommended-configure-aws-cloudtrail-lake), enter the value of **eventDataStoreId.**
7. Select **Connect**

<figure><img src="/files/mk5a8sbwZm4IG4mVzsOY" alt=""><figcaption></figcaption></figure>

### Test Connectivity

Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click **Test Connectivity**.

If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select **Collect Now** to begin collection.

<figure><img src="/files/ErQkJnC6HXY36EkZMIQO" alt=""><figcaption></figcaption></figure>
