EmpowerID includes an Amazon Web Services (AWS) connector that allows organizations to bring the data (user accounts, groups, roles and computers) in their AWS domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories AWS, it creates an account in the EmpowerID Identity Warehouse for each Amazon user account, a computer for each Amazon computer, a group for each Amazon group, and a special group called an RBAC-Only group for each Amazon role.
In order to connect EmpowerID to AWS, you must have an AWS domain with an account that EmpowerID can use to connect to AWS. (EmpowerID recommends using a dedicated service account.) At a minimum, this account must have a policy with permission to read the user, group and computer data in AWS. If you plan to use EmpowerID to provision, deprovision and modify this data in AWS, the profile needs to have create, update and delete permissions as well. In addition, you must provide EmpowerID with the following information:
|
After ensuring you have met the prerequisites specified in the Getting Started with Directory Systems topic, you connect EmpowerID to AWS by doing the following:
On the AWS Settings page that appears, enter settings to connect to your Amazon instance to allow EmpowerID to discover and connect to it.
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.
If you are using the Account Inbox to provision or join the user accounts in AWS to Empower Persons (recommended), you need to turn on the Account Inbox. This is demonstrated below.
|
|