FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Connections
Connections Important

Connect AWS IAM

1 views

title: Connect AWS IAM category: Connections tags: aws, iam, connector, directory sync priority: High

Connect AWS IAM

This guide walks you through connecting AWS IAM to Certification Center so you can pull IAM users and groups into your isolated cloud workspace, surface orphaned or unused accounts, and certify who has access to your AWS account. Certification Center is cloud SaaS: there is nothing to install. You grant a read-only cross-account role and Certification Center reads your IAM directory from your workspace.

The connection starts read-only. Write-back is optional and stays off until you turn it on.

Prerequisites

How the AWS IAM connector authenticates

Certification Center connects to AWS by assuming a cross-account IAM role that you create in your AWS account. You attach a read-only IAM policy to that role (list and read IAM users, groups, and policies), and you configure the role's trust policy to allow Certification Center's principal to assume it, protected by an external ID. Certification Center never needs a long-lived access key; it assumes the role for short-lived, read-only sessions.

This is the least-privilege shape for AWS: a role that can read IAM and nothing else, that only Certification Center can assume.

Step 1: Create a read-only IAM role for Certification Center

  1. Sign in to the AWS console for the account you want to connect
  2. Go to IAM > Roles and create a new role
  3. Choose a custom trust policy so the role trusts the Certification Center principal (shown in the connection wizard) and requires the external ID
  4. Attach read-only permissions for IAM. The AWS managed policy IAMReadOnlyAccess covers the read actions the connector needs. If you prefer a hand-written policy, allow only list and get actions:
Action family Purpose
iam:ListUsers, iam:GetUser Read IAM users
iam:ListGroups, iam:GetGroup, iam:ListGroupsForUser Read groups and membership
iam:ListAttachedUserPolicies, iam:ListUserPolicies Read what a user is entitled to
iam:GetLoginProfile, iam:ListAccessKeys Detect stale or unused accounts
  1. Name the role something clear, such as CertificationCenterReadOnly, and create it
  2. Copy the role's ARN

Step 2: Configure the trust policy and external ID

Make sure the role's trust policy:

Element What it should say
Principal The Certification Center principal from the connection wizard
Action sts:AssumeRole
Condition Requires the external ID shown in the wizard

The external ID prevents a confused-deputy problem: even if someone learns the role ARN, they cannot assume it without the external ID that is unique to your connection.

Step 3: Create the connection in Certification Center

  1. Sign in to your Certification Center workspace as an administrator
  2. Go to Connections and choose to add a connection
  3. Select AWS (IAM) as the directory type
  4. Provide the connection details:
Field Value
Name A descriptive name such as Production AWS Account
Role ARN Paste the ARN from Step 1
External ID The value shown in the wizard, matching your trust policy
Access mode Read-only for the first sync
  1. Save the connection

Step 4: Test and run the first sync

  1. Use Test connection to confirm Certification Center can assume the role and read a sample of IAM users
  2. Resolve any errors (see Troubleshooting below) before continuing
  3. Run the first sync to pull IAM users and groups into your workspace
  4. Review the results: Certification Center flags orphaned accounts and duplicate identities across your connected directories, and highlights IAM users with no recent activity

Write-back (optional)

Write-back for AWS lets a certification decision act on IAM (for example, detaching a policy or disabling a login when access is revoked). It is off by default and requires the matching write IAM actions on the role plus switching the connection to allow write-back. Keep the role read-only until you have a reason to enable it.

Required permissions at a glance

Item Least-privilege setting
Role type Cross-account IAM role you own
Policy IAMReadOnlyAccess, or a list/get-only custom policy
Trust Certification Center principal plus a required external ID
Credentials Short-lived assumed-role sessions, no stored access keys
Write-back Off until explicitly enabled

Troubleshooting

  • AccessDenied on AssumeRole — The trust policy principal or external ID does not match the connection. Re-check Step 2 against the values in the wizard.
  • Not authorized to perform iam:ListUsers — The role is missing read permissions. Attach IAMReadOnlyAccess or the list/get actions in Step 1.
  • Invalid role ARN — Copy the ARN exactly from the IAM role summary page.
  • No users returned — IAM users may all be inactive, or you connected the wrong account. Confirm the account ID in the role ARN.
  • For a broader symptom list, see Troubleshooting cloud directory connections.

Next steps

Was this article helpful?

Related articles

Connections Overview
Creating a Connection
Connect Google Workspace