|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.0 and above
|Issue||The out of the box Amazon Web Services (AWS) Connector in the RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) module requires the Access Key ID and Secret Access Key for an AWS account.|
However, in a company, many employees may have an AWS account. Common questions are:
- To use the AWS Account and Group capabilities, do many AWS Connectors need to be created, one for each employee with an AWS account?
- Does the AWS Connector support AWS Organizations?
- Only one AWS Connector needs to be created. This is because Amazon Web Services has an AWS account root user, that then creates an Administrator User. This Administrator User can then be used for the Access Key ID and Secret Access Key in the AWS Connector Authentication Details (as above). Any other AWS users the customer has, and any AWS Groups they have created, should be administered by the Administrator User. These AWS Users and Groups can then be maintained by RSA Identity Governance & Lifecycle using the AWS Connector. For more information on the AWS Admin User and Groups, please consult the following Amazon Web Services documentation:
- With regards to AWS Organizations, the AWS Connector only maintains AWS Users, Groups and Policies; it does not maintain AWS Organizations. Given that Amazon Web Services and AWS Organizations are a third-party service, RSA does not provide documentation on their use.
|Notes||Please refer to the: RSA Identity Governance and Lifecycle Amazon AWS Connector Datasheet where it lists the following capabilities:|
- Create an Amazon AWS Account
- Delete an Amazon AWS Account
- Create an Amazon AWS Group
- Add an Amazon AWS account to a group
- Remove an Amazon AWS account from a group
- Delete an Amazon AWS Group
Policy (aka, permissions)
- Remove a Policy Associated with an Amazon AWS Account
- Remove a Policy associated with an Amazon AWS group