Skip to content

AWS IAM Identity Center user sync

This plugin is used to automatically sync users from your AWS IAM Identity Center directories into Enclave. This plugin runs once an hour and will sync all users that have been added, modified, or removed since the last sync.

Configuration

To configure the plugin, you will need to create a new IAM user with the following permissions:

json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:ListGroupMemberships",
                "identitystore:ListUsers",
                "identitystore:ListGroups"
            ],
            "Resource": [
                "arn:aws:identitystore:::group/*",
                "arn:aws:identitystore:::user/*",
                "arn:aws:identitystore:::membership/*",
                "arn:aws:identitystore::<AWS_ACCOUNT_ID>:identitystore/<IDENTITY_STORE_ID>"
            ]
        }
    ]
}

Once you have created the user, you will need to create a new access key for the user. You will provide the access key ID and secret access key to the plugin.

INFO

All sensitive information, like your AWS access key secret, is encrypted with our KMS in addition to being encrypted at rest.

Syncing users

Enclave syncs users based on the enclaveGroupId which is a group that you define in AWS IAM Identity Center. This group will be used to determine which users are to be synced with Enclave. The group name is case sensitive.

Any other groups that that have names which match a label in Enclave will be assigned as labels to their respective users. This is useful for adding users to enclaves based on their group membership.

INFO

Enclave uses the primary email address as the unique key for a user. If the primary email address is changed, the user will be removed from Enclave and re-added. Email addresses are always lowercased before being synced.

Syncing labels

Optionally you can choose to sync labels from AWS IAM Identity Center. This maps group names to Enclave labels. This is useful for keeping your labels used for users synced with your IAM platform.

WARNING

If labels are removed from AWS IAM Identity Center but still associated with enclaves/alerts in Enclave, they will not be removed from Enclave. This is to prevent accidental removal.