AWS Identity Center

Overview

If your AWS integration was created before March 2025 and has an Access Key ID field in its setup page, see AWS User-Based Access.

Cisco Identity Intelligence can connect directly to AWS environments that use AWS IAM Identity Center and collect data regarding user accounts, activity, and more.

Requirements

This integration requires the following:

• AWS IAM Identity Center is the replacement for the former AWS Single Sign-on (SSO) functionality (see article). The use of AWS IAM Identity Center is a hard requirement for this integration. User data will not be collected without it.

• IAM Identity Center is configured for your AWS enterprise account at a parent level (organization), with child AWS accounts managed by that IAM Identity Center instance (example shown below)

• If IAM Identity Center is configured separately or discretely with individual AWS account instances, then you will need to set up a CII AWS integration for each account.

AWS Configuration

Note - This connection method requires only a role and policy. For ease of deployment, these are provided as a CloudFormation template within the CII UI. If you are unable to apply CloudFormation templates in your environment, speak to your support representative about configuring the role and policy manually.

1. Before the AWS setup, you will download the CloudFormation template from the Oort UI. Within the Integrations tab, click Add Integration and click AWS.

   
2. On the AWS integration setup page, click the link to download the cloudformation template. You will need to use this template to create the CII role and policy in your AWS account. You do not need to be signed in to CII during the AWS part of the setup process. When you get back to CII you can click to add an AWS integration and pick up where you left off.

   
3. Navigate to the AWS CloudFormation service in the parent AWS account that has SSO confgured. Make sure you are in the same region where IdentityCenter is configured.

   
4. At the top right, click "create stack" and choose "with new resources" from the dropdown. On the next page, select "Use an existing template" and "Upload a template file" and then use the "Choose file" button to select the template you downloaded from CII. Click Next.

   
5. On the next page, choose a descriptive name for your stack and create a hard-to-guess external ID. You will need the external ID when finishing the setup in CII.

   
6. None of the options on the next page need to change. Check off the acknowledgement at the bottom of the page and click "Next."

   
7. None of the options on the next page need to change. Scroll to the bottom and click "Submit."

   
8. Wait until the following page shows that the stack creation is complete

   

(Optional.) Configure AWS CloudTrail Lake

You can use AWS CloudTrail Lake queries to overcome API rate limit issues. You can consider setting it up to collect CloudTrail SSO events using the CloudTrail Lookup API.

About CloudTrail Lake

CloudTrail Lake:

• Bypasses Rate Limits: The CloudTrail LookupEvents API is subject to strict rate limits, which can result in incomplete event collection or delays—especially when monitoring at scale.

• Provides continuous and Reliable Collections: CloudTrail Lake is built for high-volume, scalable querying. With it, we can collect all required events in near real time, without being blocked by API throttling.

• Provides Custom Retention: Choose how long to retain your events (e.g., 1 year), supporting compliance and audit needs.

• Provides Security and Control: You control exactly what is shared—only the eventDataStore you create for this purpose.

Set Up a CloudTrail Lake Event Data Store

1. Open the AWS Console and go to CloudTrail.

2. In the left menu, click Lake.

3. Select Data stores, then click Create.

4. Give your data store a name (e.g., CII-Integration-Events).

5. Choose event types:

   • Under Event types, select Management events (All).

   • Optionally, you can also add Data events or Insights events if you wish to include them.

6. Set your retention period (e.g., 1 year).

7. Click Create.

Important: Only events generated after the data store is created are included. Historical events prior to setup are not available in the new data store.

Step 2: Configure the IAM Policy to Allow Access

You must create an IAM role for us with cross-account access and attach a policy that lets us query your CloudTrail Lake data store.

1. Go to IAM > Roles > Create role.

2. Choose Another AWS account and enter our AWS Account ID (provided by us).

3. (Optional) Add an external ID if we have supplied one.

4. Attach the following policy:

Replace <region>, <your-account-id>, and <eventdatastore-id> with your actual values.

After creating the role, note the value of the Role ARN.

Identity Intelligence Configuration

1. Within the Integrations tab, click Add Integration and click AWS

1. Enter a display name for the integration

2. Enter the AWS region where the CloudFormation stack was created, in us-east-2 format

3. Enter the 12-digit account ID of the AWS account where you set up the CloudFormation template

4. Enter the External ID you created as part of the CloudFormation setup. If you forget what it is, it will be visible in the UI of the CloudFormation stack as a "parameter."

5. If you set up CloudTrail Lake, enter the value of eventDataStoreId.

6. Select Save

   

Test Connectivity

Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click Test Connectivity.

If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select Collect Now to begin collection.