Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions baton/aws.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: "Set up an AWS connector"
description: "C1 provides identity governance for AWS. Integrate your AWS instance with C1 to run user access reviews (UARs) and enable just-in-time (JIT) access requests."
og:title: "Set up an AWS connector"
og:description: "C1 provides identity governance for AWS. Integrate your AWS instance with C1 to run user access reviews (UARs) and enable just-in-time (JIT) access requests."

Check warning on line 5 in baton/aws.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

baton/aws.mdx#L5

Did you really mean 'UARs'?
sidebarTitle: "AWS"
---

Expand Down Expand Up @@ -50,7 +50,7 @@

To sync IAM data (like users, roles, and groups) from multiple AWS child accounts, C1 uses a secure, read-only mechanism called **cross-account access**. This setup works by allowing a central role in your root account to temporarily assume a specific role in each child account. This method ensures that the connector can gather the necessary data without storing credentials or requiring permanent access.

If you're using this setup, make sure to click **Enable support for AWS Organizations** when setting up the connector in the C1 web UI. You may also enable **Enable support for AWS IAM Identity Center** at the same time. By default, enabling Identity Center alongside Organizations syncs only Identity Center data (users, groups, permission sets, account assignments) and skips cross-account IAM. To also sync IAM users, roles, and groups from every child account in this combined mode, additionally enable **Also sync cross-account IAM when Identity Center is enabled**. This flag is off by default so existing Identity Center deployments don't suddenly require child-account `sts:AssumeRole` access.

Check warning on line 53 in baton/aws.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

baton/aws.mdx#L53

'Enable' is repeated!

**In order to use the connector to gather IAM AWS data, you'll need to configure each sub-account to have a role with a trust policy.** There are two options here:

Expand All @@ -71,7 +71,7 @@
</Step>
<Step>
Choose how to set up the new AWS connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

Check warning on line 74 in baton/aws.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

baton/aws.mdx#L74

Did you really mean 'unmanaged'?
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
</Step>
Expand Down Expand Up @@ -251,7 +251,7 @@
</Step>
<Step>
Choose how to set up the new AWS connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)

Check warning on line 254 in baton/aws.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

baton/aws.mdx#L254

Did you really mean 'unmanaged'?
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
</Step>
Expand Down Expand Up @@ -346,8 +346,10 @@
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"iam:GetUser",
Expand Down Expand Up @@ -657,7 +659,7 @@

<Steps>
<Step>
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.

Check warning on line 662 in baton/aws.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

baton/aws.mdx#L662

Did you really mean 'namespace'?
</Step>
<Step>
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the AWS connector to. AWS data should be found on the **Entitlements** and **Accounts** tabs.
Expand Down Expand Up @@ -731,8 +733,10 @@
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
Expand Down