> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/integrations/aws-1.md). # AWS User-Based Access \[Deprecated] ## Deprecation Notice {% hint style="danger" %} This document refers to an AWS connection method that was replaced in February 2025 with an improved method using short-term credentials.\ \ Existing connections using this method remain unaffected and can be updated, but new integrations may only use the [role-based connection method](/integrations/aws.md). If you have an existing integration that used this method and would like to convert it to te new role-based access, speak to your support representative. {% endhint %} ## Overview Cisco Identity Intelligence can connect directly to AWS environments that use [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) and collect data regarding user accounts, activity, and more. ## Known Issues There is currently an issue with the AWS API where user accounts that are disabled in AWS will have their account status returned as active, even though they show as disabled in the AWS IAM console.\ \ Currently, CII shows all AWS accounts as `unknown` due to this issue. ## Requirements This integration requires the following: * AWS IAM Identity Center is the replacement for the former AWS Single Sign-on (SSO) functionality (see [article](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed)). **The use of AWS IAM Identity Center is a hard requirement for this integration.** User data will not be collected without it. * IAM Identity Center is configured for your AWS enterprise account at a parent level (organization), with child AWS accounts managed by that IAM Identity Center instance (example shown below) * If IAM Identity Center is configured separately or discretely with individual AWS account instances, then you will need to set up a CII AWS integration for each account.

## AWS Configuration **Note** - there are many methods for creating accounts and granting access with AWS IAM. If you have questions or suggestions, please speak with your Oort technical representative. 1. Navigate to the AWS IAM service in the parent AWS account, where SSO is configured.

2. Click **Create user** and then create an Oort integration user object. 3. Within the **Permissions** section, create an inline policy type and insert or paste the following JSON into it: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:List*", "sso:Describe*", "sso:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "identitystore:List*", "identitystore:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "cloudtrail:LookupEvents", "Resource": "*" } ] } ``` 4. Within the User object page, click the **Security Credentials** tab 5. Click **Create access key**

6. Select **Command Line Interface (CLI)** and click the Confirmation box at the bottom of the page

7. Leave the Set description tag value blank and click Create access key 8. Copy the Access key name and the Secret for use in the Oort console

## Oort Configuration 1. Within the Integrations tab, click Add Integration and click AWS

2. Enter a display name for the integration 3. Enter the AWS region where the IAM service account was created, in `us-east-2` format 4. Enter the Access Key ID 5. Enter the Access Key secret 6. Click Save

### Test Connectivity Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click **Test Connectivity**. If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select **Collect Now** to begin collection.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.oort.io/integrations/aws-1.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.