AWS
08/2024
Last updated
08/2024
Last updated
If your AWS integration was created before March 2025 and has an Access Key ID field in its setup page, see AWS User-Based Access.
Cisco Identity Intelligence can connect directly to AWS environments that use AWS IAM Identity Center and collect data regarding user accounts, activity, and more.
There is currently an issue with the AWS API where user accounts that are disabled in AWS will have their account status returned as active, even though they show as disabled in the AWS IAM console.
Currently, CII shows all AWS accounts as unknown
due to this issue.
This integration requires the following:
AWS IAM Identity Center is the replacement for the former AWS Single Sign-on (SSO) functionality (see article). The use of AWS IAM Identity Center is a hard requirement for this integration. User data will not be collected without it.
IAM Identity Center is configured for your AWS enterprise account at a parent level (organization), with child AWS accounts managed by that IAM Identity Center instance (example shown below)
If IAM Identity Center is configured separately or discretely with individual AWS account instances, then you will need to set up a CII AWS integration for each account.
Note - This connection method requires only a role and policy. For ease of deployment, these are provided as a CloudFormation template within the CII UI. If you are unable to apply CloudFormation templates in your environment, speak to your support representative about configuring the role and policy manually.
Before the AWS setup, you will download the CloudFormation template from the Oort UI. Within the Integrations tab, click Add Integration and click AWS.
On the AWS integration setup page, click the link to download the cloudformation template. You will need to use this template to create the CII role and policy in your AWS account. You do not need to be signed in to CII during the AWS part of the setup process. When you get back to CII you can click to add an AWS integration and pick up where you left off.
Navigate to the AWS CloudFormation service in the parent AWS account that has SSO confgured. Make sure you are in the same region where IdentityCenter is configured.
At the top right, click "create stack" and choose "with new resources" from the dropdown. On the next page, select "Use an existing template" and "Upload a template file" and then use the "Choose file" button to select the template you downloaded from CII. Click Next.
On the next page, choose a descriptive name for your stack and create a hard-to-guess external ID. You will need the external ID when finishing the setup in CII.
None of the options on the next page need to change. Check off the acknowledgement at the bottom of the page and click "Next."
None of the options on the next page need to change. Scroll to the bottom and click "Submit."
Wait until the following page shows that the stack creation is complete
Within the Integrations tab, click Add Integration and click AWS
Enter a display name for the integration
Enter the AWS region where the CloudFormation stack was created, in us-east-2
format
Enter the 12-digit account ID of the AWS account where you set up the CloudFormation template
Enter the External ID you created as part of the CloudFormation setup. If you forget what it is, it will be visible in the UI of the CloudFormation stack as a "parameter."
Click Save
Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click Test Connectivity.
If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select Collect Now to begin collection.