AWS IAM Identity Center user sync

This plugin is used to automatically sync users from your AWS IAM Identity Center directories into Enclave. This plugin runs once an hour and will sync all users that have been added, modified, or removed since the last sync.

Configuration

To configure the plugin, you will need to create a new IAM user with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:ListGroupMemberships",
                "identitystore:ListUsers",
                "identitystore:ListGroups"
            ],
            "Resource": [
                "arn:aws:identitystore:::group/*",
                "arn:aws:identitystore:::user/*",
                "arn:aws:identitystore:::membership/*",
                "arn:aws:identitystore::<AWS_ACCOUNT_ID>:identitystore/<IDENTITY_STORE_ID>"
            ]
        }
    ]
}

Once you have created the user, you will need to create a new access key for the user. You will provide the access key ID and secret access key to the plugin.

INFO

All sensitive information, like your AWS access key secret, is encrypted with our KMS in addition to being encrypted at rest.

Syncing users

Enclave syncs users based on the enclaveGroupId which is a group that you define in AWS IAM Identity Center. This group will be used to determine which users are to be synced with Enclave. The group name is case sensitive.

Any other groups that that have names which match a label in Enclave will be assigned as labels to their respective users. This is useful for adding users to enclaves based on their group membership.

INFO

Enclave uses the primary email address as the unique key for a user. If the primary email address is changed, the user will be removed from Enclave and re-added. Email addresses are always lowercased before being synced.

Syncing labels

Optionally you can choose to sync labels from AWS IAM Identity Center. This maps group names to Enclave labels. This is useful for keeping your labels used for users synced with your IAM platform. If you don't want to sync labels, you can still create labels in Enclave manually with the same names are your AWS IAM IC groups and they will be assigned to users based on their group membership.

You can optionally add a prefix that restricts which groups are synced as labels. For example, if you set the prefix to Enclave-, only groups that start with Enclave- will be synced as labels. This is helpful if you have many groups in your AWS IAM IC account and only want to sync a subset of them as labels in Enclave.

WARNING

If groups are removed from AWS IAM Identity Center, corresponding labels do not get removed in Enclave. Users will have the labels unassigned from them, but the labels will still remain in your organization. This is to prevent system administrators in AWS IAM Identity Center from being able to remove associated resources in Enclave that are not managed by identity syncing.