title: Connect AWS IAM category: Connections tags: aws, iam, connector, directory sync priority: High
Connect AWS IAM
This guide walks you through connecting AWS IAM to Certification Center so you can pull IAM users and groups into your isolated cloud workspace, surface orphaned or unused accounts, and certify who has access to your AWS account. Certification Center is cloud SaaS: there is nothing to install. You grant a read-only cross-account role and Certification Center reads your IAM directory from your workspace.
The connection starts read-only. Write-back is optional and stays off until you turn it on.
Prerequisites
- A Certification Center workspace (see Sign up and connect your first directory in 5 minutes)
- Permission to create an IAM role in the AWS account you want to connect
- The external ID and trusted principal values shown in the Certification Center connection wizard
How the AWS IAM connector authenticates
Certification Center connects to AWS by assuming a cross-account IAM role that you create in your AWS account. You attach a read-only IAM policy to that role (list and read IAM users, groups, and policies), and you configure the role's trust policy to allow Certification Center's principal to assume it, protected by an external ID. Certification Center never needs a long-lived access key; it assumes the role for short-lived, read-only sessions.
This is the least-privilege shape for AWS: a role that can read IAM and nothing else, that only Certification Center can assume.
Step 1: Create a read-only IAM role for Certification Center
- Sign in to the AWS console for the account you want to connect
- Go to IAM > Roles and create a new role
- Choose a custom trust policy so the role trusts the Certification Center principal (shown in the connection wizard) and requires the external ID
- Attach read-only permissions for IAM. The AWS managed policy IAMReadOnlyAccess covers the read actions the connector needs. If you prefer a hand-written policy, allow only list and get actions:
| Action family | Purpose |
|---|---|
iam:ListUsers, iam:GetUser |
Read IAM users |
iam:ListGroups, iam:GetGroup, iam:ListGroupsForUser |
Read groups and membership |
iam:ListAttachedUserPolicies, iam:ListUserPolicies |
Read what a user is entitled to |
iam:GetLoginProfile, iam:ListAccessKeys |
Detect stale or unused accounts |
- Name the role something clear, such as CertificationCenterReadOnly, and create it
- Copy the role's ARN
Step 2: Configure the trust policy and external ID
Make sure the role's trust policy:
| Element | What it should say |
|---|---|
| Principal | The Certification Center principal from the connection wizard |
| Action | sts:AssumeRole |
| Condition | Requires the external ID shown in the wizard |
The external ID prevents a confused-deputy problem: even if someone learns the role ARN, they cannot assume it without the external ID that is unique to your connection.
Step 3: Create the connection in Certification Center
- Sign in to your Certification Center workspace as an administrator
- Go to Connections and choose to add a connection
- Select AWS (IAM) as the directory type
- Provide the connection details:
| Field | Value |
|---|---|
| Name | A descriptive name such as Production AWS Account |
| Role ARN | Paste the ARN from Step 1 |
| External ID | The value shown in the wizard, matching your trust policy |
| Access mode | Read-only for the first sync |
- Save the connection
Step 4: Test and run the first sync
- Use Test connection to confirm Certification Center can assume the role and read a sample of IAM users
- Resolve any errors (see Troubleshooting below) before continuing
- Run the first sync to pull IAM users and groups into your workspace
- Review the results: Certification Center flags orphaned accounts and duplicate identities across your connected directories, and highlights IAM users with no recent activity
Write-back (optional)
Write-back for AWS lets a certification decision act on IAM (for example, detaching a policy or disabling a login when access is revoked). It is off by default and requires the matching write IAM actions on the role plus switching the connection to allow write-back. Keep the role read-only until you have a reason to enable it.
Required permissions at a glance
| Item | Least-privilege setting |
|---|---|
| Role type | Cross-account IAM role you own |
| Policy | IAMReadOnlyAccess, or a list/get-only custom policy |
| Trust | Certification Center principal plus a required external ID |
| Credentials | Short-lived assumed-role sessions, no stored access keys |
| Write-back | Off until explicitly enabled |
Troubleshooting
- AccessDenied on AssumeRole — The trust policy principal or external ID does not match the connection. Re-check Step 2 against the values in the wizard.
- Not authorized to perform iam:ListUsers — The role is missing read permissions. Attach IAMReadOnlyAccess or the list/get actions in Step 1.
- Invalid role ARN — Copy the ARN exactly from the IAM role summary page.
- No users returned — IAM users may all be inactive, or you connected the wrong account. Confirm the account ID in the role ARN.
- For a broader symptom list, see Troubleshooting cloud directory connections.